Having good internal controls is an important measure to reduce an
organization's risk of being victimized by fraud and can help prevent or
detect material errors in the accounting system. To assist your
organization in identifying risks and designing appropriate internal
controls, we have prepared an illustrative example of XYZ, Inc.
XYZ is a nonprofit organization that meets an important need in its
local community. XYZ has several program employees at multiple locations
who are involved in the daily operations to fulfill the organizations
mission and two administrative employees who handle management and
general accounting functions. XYZ has an active board of directors who
feels passionate about the mission of the organization. XYZ's board knew
that the small number of the administrative staff made the organization
particularly vulnerable to fraud. Because the board of directors felt
strongly about the importance of XYZ's mission, they performed a risk
assessment to address fraud risks that could one day hinder XYZ's future
operations. Below is a summary of the results of XYZ's risk assessment
and the internal controls the board implemented to help ensure the
organizations future success.
Cash disbursements
The first and most significant risk area identified was cash
disbursements. Prior to the risk assessment, Sam, the controller,
performed all accounting functions and banking. Leslie, the executive
director, managed the organization's programs with little accounting
oversight. The risk assessment revealed that Sam could have taken
advantage of the lack of oversight to use organization funds to pay for
personal purchases by recording the purchases as the organization's
expenses and paying them using XYZ's check book, a type of billing
scheme. Sam could also use the company credit card in a similar fashion.
Other risks were also identified, such as fraudulent employee
reimbursements and check tampering.
To reduce XYZ's exposure to these risks the board mandated a change in
procedures to increase internal controls. First to address the risk of
the controller recording personal purchases as the organization's
expenses and paying them with XYZ's checkbook, the board of directors
limited custody to the organization's check stock so that only the
executive director had possession and could print checks. The ability to
add and change vendors in the accounting system was also given
exclusively to the executive director so that the controller would not
be able to add vendors and and submit altered invoices for personal
purchases. The board limited record keeping access to the
accounting system so that only the controller could post journal entries
and record expenses. The board also changed the authorized signers on
the account so that only the treasurer, the chairperson and the vice
chairperson had the ability to sign checks. As a further precaution, the
board signed up for positive pay at its local bank to prevent checks
from clearing the bank that were not approved. A process was put into
place so that checks were printed only once per week and then given to
one of the authorized signers to review with the supporting
documentation to verify that only valid business expenses were being
paid. It remained the controllers responsibility to reconcile the bank
statement against the cancelled checks, however, the board began
reviewing the monthly bank reconciliations and the monthly activity of
cleared checks.
Payroll disbursements
Like cash disbursements, Sam, the controller, also managed the entire
payroll process. Sam collected and reviewed each employee's time card
and entered their hours worked during the pay period into their payroll
program. Sam also entered the employees hourly wage and benefits
information. After entering in the payroll data for the period, Sam was
the only person to review the payroll register before it was processed
and direct deposit was initiated. This process made it possible for Sam
to increase his wages without anyone noticing.
To better control this process, the board of directors restricted the
controller's ability to add employees or change pay rates and other
information in the payroll module. This function was given to the
executive director. The controller retained the responsibility of
entering in each employees time in the payroll system, however, employee
time sheets now required the approval of the employees direct
supervisor to ensure that hours were not overstated. The executive
director reviewed the pre-process and post process payroll registers and
a summary of changes to employee rates and benefits to ensure that the
payroll was correctly processed and as a double check that the hours
each employee worked were not unusual. The executive director was also
responsible for transferring money from XYZ's operating account to XYZ's
payroll account after the pre-process register was approved.
Cash receipts
Another significant risk area identified as a result of the risk
assessment was cash receipts. Prior to the risk assessment, Sam, the
controller, could have used a few accounting tricks to skim (stolen cash
receipts before they were deposited) money from XYZ. Because Sam had
custody of contributions and program income received, he could have
skimmed some of it before it was deposited into XYZ's bank account. If
the transaction had previously been recorded as a sale and receivable,
Sam could have also have the skimmed cash by removing or reducing the
sale in the accounting system, voiding the sale, writing off the
receivable, lapping the receivable with a subsequent receipt, etc. If
the cash skimmed was an unsolicited contribution, it would have been
nearly impossible to detect the theft.
To reduce the risk of cash being skimmed from XYZ, the board of
directors required that two people be present to open the mail at all
times to help prevent cash and check contributions from being skimmed
before being recorded as received. It was required that while opening
the mail, the executive director immediately restrictively endorse all
checks received as "For Deposit Only XYZ, inc." and log the amount and
source of all cash and checks received. The controller's responsibility
included verifying the balance of the deposit and taking the deposit to
the bank. The executive director was responsible for reviewing the
deposit slip and agreeing it to the daily cash receipt.
If checks or cash were received that were not ready to be deposited for
any reason, the controller recorded it in the accounting system as a
temporary deposit asset and liability. The executive director was
responsible for maintaining custody of the money.
Conclusion
Performing a fraud risk assessment is a critical step in an ever
continuing process to ensure that internal controls are appropriate for
your organization. Even though XYZ, inc., in the example above is not a
real organization, its internal control model may provide helpful
insight into potential risks within your own organization and steps that
could be used to mitigate them. Also consider that while these controls
may be appropriate for many organizations, they may not be best suited
for yours. It is important to think critically of risks as they relate
to your own organization in particular and design internal controls
accordingly. Please contact us if you would like assistance in assessing
your organization's risks and implementing an appropriate system of
internal controls.