When Good Employees Go Bad
Developing internal controls and red flags to prevent theft and embezzlement
By Anne Renna
A few years ago, I was engaged by an insurance company to validate a fraud claim. The embezzlement was alleged to have been perpetrated by a highly regarded employee in a small service business. It was a relatively large claim because the fraud had taken place over the course of approximately five years. The claim was made up of over 100 disbursements, checks written primarily to various credit card companies, which paid the credit card debt of the perpetrator. The attorney for the insurance carrier wanted to know why the embezzlement occurred for such a long period of time before it was finally uncovered by the company owner’s spouse.
Customary business practices include the establishment of internal controls, generally defined as systems, policies, and procedures that provide reasonable assurance in reducing the risk of asset loss. Internal controls apply to all entities, but it may be implemented differently depending on the size of the company. Insurance carriers often want to know whether customary controls exist at the claimant’s business because, without them, the risk of a fraud loss is elevated to a very high level. Additionally, without such controls, if a fraud scheme were to occur, the loss likely would be great because it would not be detected in its early stages.
Segregation of duties, an important component of internal controls and something found in large companies, reduces the opportunity for an employee to both perpetrate and cover up a theft in the normal course of her duties. This is because without segregation of duties, the employee “touches” a significant portion, if not all, of a transaction from the beginning to the end. Segregation of duties often is lacking in small businesses. However, internal control principles state that a lack of segregation of duties can be overcome through management oversight and review.
According to a report by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) entitled, “Internal Control – Integrated Framework,” management oversight and review would include the regular and timely review of financial statements or reports, detailed transaction reports, the periodic observation and counting of physical inventory and equipment and comparing them to the accounting records, and the review of reconciliations of account balances, such as cash, accounts receivable, and accounts payable.
In the case described above, the largest individual disbursement in the claim was part of a complicated scenario in which a valid check was processed, intercepted by the perpetrator before mailing, redeposited into the bank account, and then a new disbursement in the same amount was made payable to one of the perpetrator’s credit card companies. This lengthy set of events caused all of the steps involved to not be completely recorded in the accounting system in one month but rather stretched into the next month. The perpetrator was not an accountant, and, therefore, did not understand the consequences of not being able to record all aspects of the scenario in the same month.
The consequence is that the bank reconciliation at month’s end displayed the disbursement amount as a “pending difference.” This dollar amount was needed to reconcile the cash balance because not all aspects of the transaction had been recorded by month’s end. Management viewed this as a simple timing difference and did not make inquiries or look further into it. This occurred for almost two years before the fraud ultimately was uncovered.
One might say that timing differences are not that unusual in bank reconciliations. For example, outstanding checks and deposits in transit are timing differences. But during this time period, the books also showed a decline in revenue, which may have been too quickly excused by the owner. The decline in revenue was directly related to the unauthorized disbursements and was consistently increasing over time. As a result, this was a second item that should have been pursued.
In the Association of Certified Fraud Examiners 2016 fraud study entitled, “Report to the Nations,” the median duration of disbursement-type frauds is 24 months. It also found that only 12.7 percent of frauds initially are detected from management review and 4.4 percent from account reconciliations for companies with more than 100 employees. If these two internal controls were being performed effectively, these two percentages would be much higher.
Large corporations, including publicly traded organizations, consistently are surveyed by PricewaterhouseCoopers (PwC). In PwC’s “2014 Global Economic Crime Survey,” its analysis revealed that 55 percent of the survey’s frauds were detected by some type of internal control. However, in its “Global Economic Crime Survey 2016: U.S. Results,” its analysis looked at economic crime from the standpoint of what is known as the “fraud triangle.” The fraud triangle is a model designed to explain the reasoning behind an employee’s decision to commit workplace fraud. The three points of the triangle include: incentive or pressure; rationalization; and opportunity. PwC found that the opportunity or ability to commit the crime was a factor in 57 percent of the economic crimes in the 2016 survey. This would directly relate to internal controls.
Virtually all frauds have some kind of red flag. When employee embezzlements occur over a relatively long period and the loss is great, insurance carriers should look closely at the adequacy and reasonableness of the claimant’s internal controls (in particular, those that relate to management review and oversight) and validate whether these controls were performed in a timely manner during the period in question. Well-designed internal controls should spot red flags, providing reasonable assurance that the fraud will be detected in its early stages.