A proposal for a fraud risk/internal control assessment just landed on your desk. It’s $15,000 and all you can think is, “Are internal controls that important?” On the list of investments you want to make in your business, a consultant - particularly over your accounting function - ranks extremely low. I know because when I owned my practice, I thought that too.
Like any good founder, owner, or executive, you’ve retained a qualified CPA firm to review or audit your financials each year and file your tax returns. You might balk at their bill every now and then, but you know they keep you on the right side of the IRS. You also know, like insurance, the CPA firm’s fee is going to seem like pennies compared to the cost of the potential audit you might get if you didn’t lean on their expertise.
Take it from a fraud investigation practitioner – you should be thinking of that internal control assessment like insurance too. Here’s why:
A Law Firm Story
A father and son owned a law practice together. It was a small shop, family business, with a lot of long-tenured staff. One of their longest tenured employees was their receptionist-turned-office manager, Barbara, who knew anything and everything about how that place ran, and she made sure it did. Unknown to anyone in the office, Dad and Barbara were in a long-running affair. When Dad died, Son took over, and Barbara stayed on. Son didn’t feel the need to oversee Barbara’s work - as long as he was making payroll and maintaining a healthy draw each month like always, what was there to worry about?
Before we go any deeper into the story, it’s important to understand the “fraud triangle”. It’s a concept developed by a researcher fascinated by crime, Donald Cressey, who was curious about what made an employee steal from their employer. By interviewing convicted embezzlers, he found that three criteria need to be in place for fraud to occur: opportunity, pressure, and justification. Opportunity means that an individual is in a position of trust with respect to an organization’s funds, and there’s little or no oversight for their role. Pressure means that the individual is facing some personal issue that stretches their finances, motivating them to consider obtaining money through any feasible channel. Justification means that the individual found a way to rationalize the idea of taking the money, such as “I could just borrow it and pay it back; no one would know.”
Back to our law firm story - Barbara was pretty salty that she was left nothing in Dad’s will after all those years as his lover, and her weekend trips to the casino were getting costlier – the more she drank to drown her woes, the more she lost. What happened next? Barbara had an opportunity, she needed cash, and she took it because she felt she deserved it. Son only found out when it was too late - he couldn’t make payroll. $65,000 in legal and accounting fees later, son had to pare down his staff and do some reputation cleanup to get his clients back.
A Food Distributor Story
Jane was the pride of her family. She started her private label sauce company in her apartment kitchen, and it took off. Jane’s books weren’t the best kept – she recorded her revenue and expenses appropriately but didn’t really pay attention (or care) whether she swiped her business or personal credit card for household expenses because it would “all come out in the wash” when reconciled at year end. Receipts, she felt, weren’t necessary because all the activity was visible in electronic records if she ever needed it. Jane’s company was eventually acquired by a publicly traded distributor, yet Jane maintained her autonomy overseeing her own sauce brand. Turnover in the distributor’s C-suite caused some gaps in routine expense policy oversight, and a disgruntled employee called in an anonymous tip that alleged Jane was using company funds for personal purchases. Oversight by the Securities and Exchange Commission (SEC) requires publicly traded companies to launch formal investigations when fraud is alleged. Hundreds of thousands of dollars in legal and accounting fees later, no fraud was detected, but Jane’s practice of reconciling and paying back personal purchases at year end technically meant that the company loaned her that money and did not properly disclose the loan on their SEC filings – a fate far worse than a surprise, six-figure investigation.
Pay Now or Pay Later
As the saying goes, the devil you know is better than the devil you don’t know. Outdated or inadequately designed controls, excessive system access, and a lack of segregation of duties are the devil you don’t know. An internal control assessment by an objective professional highlights the areas that leave you most vulnerable to fraud, error, and inefficiency and provides reasonable steps on how to remediate them before incurring a major loss. The two stories above illustrate that losses don’t only occur by fraud, but also by sloppy accounting practices. Investing money now to protect against risk is far better than spending many times that later on. Bonadio’s Advisory and Consulting Group offers a suite of services to organizations of all sizes, from internal control and fraud risk assessments to fraud investigations. Contact our Internal Audit or Fraud/Forensic teams any time to learn more.
If you need further guidance or have any questions on this topic, we are here to help. Please do not hesitate to reach out to our trusted experts to discuss your specific situation.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.