CHAPTER 8:

I. FRAUD AND INTERNAL CONTROL

1. Fraud

Definition: A fraud is a dishonest act by an employee that results in personal benefit to

the employee at a cost to the employer
Examples:
+ A bookkeeper diverted $750,000 of bill payments to a personal bank
+ A shipping clerk shipped $125,000 of merchandise to himself
+ A computer operator embezzled $21 million
+ A church treasurer “borrowed” $150,000 of church funds

The three main factors that contribute to fraudulent activity are

- Opportunity: Opportunities occur when the workplace lacks sufficient controls to
deter and detect fraud. For example, inadequate monitoring of employee actions
can create opportunities for theft and can embolden employees because they
believe they will not be caught
- Financial pressure: personal financial problems caused by too much debt. Or,
want to lead a lifestyle that they cannot afford on their current salary.
- Rationalization: In order to justify their fraud, employees rationalize their
dishonest actions. For example, believe they are underpaid while the employer is
making lots of money. Or, because believe they deserve to be paid more
 -

2. Sarbanes-Oxley Act (SOX)

Congress addressed this issue by passing the Sarbanes-Oxley Act (SOX) . Under SOX,
all publicly traded U.S. corporations are required to maintain an adequate system of
internal control. Corporate executives and boards of directors must ensure that these
controls are reliable and effective. In addition, independent outside auditors must
attest to the adequacy of the internal control system. Companies that fail to comply are
subject to fines, and company officers can be imprisoned. SOX also created the Public
Company Accounting Oversight Board (PCAOB) to establish auditing standards
and regulate auditor activity.

3. Internal Control

+ All the related methods and measures adopted within an organization to safeguard
assets,
+ Enhance the reliability of accounting records,
+ Increase the efficiency of operations, and
+ Ensure compliance with laws and regulations.
Internal control systems have five primary components:
+ A control environment. organization values integrity and that unethical activity
will not be tolerated. referred to as the “tone at the top.”

+ Risk assessment. Companies must identify and analyze the various factors that
create risk for the business and must determine how to manage these risks.

+ Control activities. To reduce the occurrence of fraud, management must design

policies and procedures to address the specific risks faced by the company.

+ Information and communication. The internal control system must capture

and communicate all pertinent information both down and up the
organization, as well as communicate information to appropriate external
parties.

+ Monitoring. Internal control systems must be monitored periodically for their

adequacy. Significant deficiencies need to be reported to top management
and/or the board of directors.

4. Principles of Internal Control Activities

The control activities are the backbone of the company’s efforts to address the risks it
faces, such as fraud. The specific control activities used by a company will vary,
depending on management’s assessment of the risks faced. This assessment is heavily
influenced by the size and nature of the company.

The six principles of control activities:

• Establishment of responsibility
• Segregation of duties
• Documentation procedures
• Physical controls
• Independent internal verification
• Human resource controls

4.1. ESTABLISHMENT OF RESPONSIBILITY

Control is most effective when only one person is responsible for a given task
If only one person has operated the register, the shift manager can quickly determine
responsibility for the shortage. If two or more individuals have worked the register, it
may be impossible to determine who is responsible for the error

Many retailers solve this problem by having registers with multiple drawers. This allows
the identification of a particular employee with a specific drawer.

Establishing responsibility often requires limiting access only to authorized

personnel, and then identifying those personnel

Use of identifying passcodes enables the company to establish responsibility by

identifying the particular employee who carried out the activity.

● ANATOMY
- Maureen Frugali, a training supervisor at Colossal Healthcare, included fictitious
claims in the training program for trainees. These fictitious claims were supposed to
be sent to the Accounts Payable department to prevent payment. However, Maureen
didn't report all of them, allowing some to be paid to entities under her control.
→ The health-care company did not adequately restrict the responsibility for
authorizing and approving claims transactions. The training supervisor should not have
been authorized to create claims in the company’s “live” system.

4.2. SEGREGATION OF DUTIES

Segregation of duties is indispensable in an internal control system. There are
two common applications of this principle:
1. Different individuals should be responsible for related activities.
2. The responsibility for record-keeping for an asset should be separate from the physical
custody of that asset

The work of one employee should, without a duplication of effort, provide a reliable basis
for evaluating the work of another employee.

For example, the personnel that design and program computerized systems should not
be assigned duties related to day-to-day use of the system. Otherwise, they could
design the system to benefit them personally and conceal the fraud through day-to-day
use

SEGREGATION OF RELATED ACTIVITIES. Making one individual responsible for

related activities increases the potential for errors and irregularities

*Purchasing activities (ordering merchandise, order approval, receiving goods,

authorizing payment, and paying for goods or services)
Various frauds are possible when one person handles related purchasing activities:
• If a purchasing agent is allowed to order goods without obtaining supervisory approval,
the likelihood of the purchasing agent receiving kickbacks from suppliers increases.
• If an employee who orders goods also handles receipt of the goods and invoice, as well
as payment authorization, he or she might authorize payment for a fictitious invoice.

=> These abuses are less likely to occur when companies divide the sales tasks

*Sales activities (making a sale, shipping (or delivering) the goods to the customer,
billing the customer, and receiving payment)

• If a salesperson can make a sale without obtaining supervisory approval, he or she

might make sales at unauthorized prices to increase sales commissions.
• A shipping clerk who also has access to accounting records could ship goods to himself.
• A billing clerk who handles billing and receipt could understate the amount billed for
sales made to friends and relatives.

=> These abuses are less likely to occur when companies divide the sales tasks: The
salespeople make the sale; the shipping department ships the goods on the basis of the
sales order; and the billing department prepares the sales invoice after comparing the
sales order with the report of goods shipped.

● ANATOMY
Lawrence Fairbanks, the assistant vice-chancellor of communications at Aesop
University, exploited his authority to make departmental purchases under $2,500 by
occasionally buying expensive personal items. To conceal his actions, he created fake
vendor invoices with descriptions that resembled legitimate departmental purchases and
submitted them to accounting and accounts payable for payment.
→ The university had not properly segregated related purchasing activities. Lawrence
was ordering items, receiving the items, and receiving the invoice. By receiving the
invoice, he had control over the documents that were used to account for the purchase
and thus was able to substitute a fake invoice.

4.3 SEGREGATION OF RECORD-KEEPING FROM PHYSICAL

CUSTODY

- The accountant should have neither physical custody of the asset nor access to it.
- Likewise, the custodian of the asset should not maintain or have access to the
accounting records
- The custodian of the asset is not likely to convert the asset to personal use when one
employee maintains the record of the asset, and a different employee has physical
custody of the asset

● ANATOMY

Angela Bauer, an accounts payable clerk at Agassiz Construction Company, committed

fraud by writing checks for fictitious expenses, such as fake taxes. She manipulated the
payee line on the checks to divert payments to her personal accounts, which went
unnoticed because she also reconciled the company's bank statements. Consequently, her
altered checks remained concealed from others.
→ Agassiz Construction Company did not properly segregate record-keeping from
physical custody. Angela had physical custody of the checks, which essentially was
control of the cash. She also had record-keeping responsibility because she prepared the
bank reconciliation.

DOCUMENTATION PROCEDURES
Companies should establish procedures for documents. First, whenever possible,
companies should use pre numbered documents, and all documents should be accounted
for.
=> Prenumbering helps to prevent a transaction from being recorded more than once,
or conversely, from not being recorded at all.
Second, the control system should require that employees promptly forward source
documents for accounting entries to the accounting department.
=> This control measure helps to ensure timely recording of the transaction and
contributes directly to the accuracy and reliability of the accounting records.

● ANATOMY
Employees at Mod Fashions Corporation's design center were required to provide
receipts for travel expense reimbursement. Some designers colluded to commit fraud by
submitting duplicate claims for the same expenses. Each of them submitted different
types of receipts for the same expense, resulting in all of them receiving full
reimbursement for the expense.
→ Mod Fashions should require the original, detailed receipt. It should not accept
photocopies, and it should not accept credit card statements. In addition, documentation
procedures could be further improved by requiring the use of a corporate credit card
(rather than a personal credit card) for all business expenses.

PHYSICAL CONTROLS

Physical controls relate to the safeguarding of assets and enhance the accuracy and
reliability of the accounting records.
This picture shows example of these controls.
* ANATOMY

At Centerstone Health, where insurance applications are scanned and accessible online,
two friends, Alex from record-keeping and Parviz the sales agent, devised a scheme.
They identified applications without a listed sales agent, and after hours, Alex added
Parviz's name to the hard-copy applications. Parviz received the commissions, which they
shared, despite these applications not originally involving a sales agent.
→ Centerstone Health lacked crucial physical controls that could have prevented the
fraud. The mailroom should have been securely locked during non-business hours, with
tightly controlled access during business hours. Additionally, the scanned applications'
security was compromised because all employees had the same password as their user ID,
which was accessible to everyone. This allowed unauthorized access to the scanned
applications and enabled Alex to enter the system using another employee's password.

INDEPENDENT INTERNAL VERIFICATION

This principle involves the review of data prepared by employees.

1. Companies should verify records periodically or on a surprise basis.
2. An employee who is independent of the personnel responsible for the information
should make the verification.
3. Discrepancies and exceptions should be reported to a management level that can take
appropriate corrective action
This picture demonstrates the comparison of segregation of duties principle with
independent internal verification principle

Independent internal verification is especially useful in comparing recorded

accountability with existing assets

Large companies often assign independent internal verification to internal auditors.

Internal auditors are company employees who continuously evaluate the effectiveness of
the company’s internal control systems. They review the activities of departments and
individuals to determine whether prescribed internal controls are being followed

● ANATOMY

Bobbi Jean Donnelly, the office manager at Mod Fashions Corporation's design center,
committed fraud by filing expense-reimbursement requests for her personal clothing
purchases. She managed to hide this fraudulent activity because she was responsible for
reviewing and sometimes signing off on all expense reports, including her own.
Additionally, she manipulated the budget by coding her expenses to under-budget items
to avoid detection.
→ Bobbi Jean's boss should have verified her expenses, but he estimated them at
$10,000 per year when they were actually over $115,000. He didn't review her reports
or the budget, citing being "too busy," allowing the fraud to go unnoticed.

HUMAN RESOURCE CONTROLS

1. Bond employees who handle cash.

Bonding involves obtaining insurance protection against theft by employees. It
contributes to the safeguarding of cash in two ways. First, the insurance company
carefully screens all individuals before adding them to the policy and may reject risky
applicants. Second, bonded employees know that the insurance company will vigorously
prosecute all offenders.

2. Rotate employees’ duties and require employees to take vacations.

These measures deter employees from attempting thefts since they will not be able to
permanently conceal their improper actions. Many banks, for example, have
discovered employee thefts when the employee was on vacation or assigned to a new
position

3. Conduct thorough background checks

Many believe that the most important and inexpensive measure any business can take
to reduce employee theft and fraud is for the human resources department to conduct
thorough background checks. Two tips: (1) Check to see whether job applicants
actually graduated from the schools they list. (2) Never use telephone numbers for
previous employers provided by the applicant. Always look them up yourself

● ANATOMY

Ellen Lowry, the desk manager, and Josephine Rodriguez, the head of housekeeping at
the Excelsior Inn, conspired to earn extra money. Ellen provided cash-paying guests
with significant discounts, keeping the cash and not registering the guests in the hotel's
system. She marked the rooms as unavailable for "routine maintenance," and Josephine,
the head of housekeeping, cleaned these rooms during the guests' stay.
→ Ellen, the desk manager, had a fraud accusation in her past, which a thorough
background check could have revealed. The hotel only discovered the fraud when Ellen
was absent due to illness, highlighting the need for a system of mandatory vacations and
rotating days off for detection.

5. Limitations of Internal Control

Companies design internal control systems to provide reasonable assurance of

safeguarding assets and maintaining reliable accounting records. The key principle is that
the cost of implementing control procedures should not exceed the expected benefits
Retail stores use cost-effective control measures to minimize shoplifting losses. Instead
of employing security guards to stop and search customers, they use signs, hidden
cameras, store detectives, and sensor equipment. This example illustrates the balance
between control effectiveness and cost.

The human factor plays a significant role in the effectiveness of internal control
systems. Employee fatigue, carelessness, or indifference can undermine even a
well-designed system. Collusion among employees can also compromise controls,
particularly segregation of duties.

The size of a business can impose limitations on internal control. Small companies often
struggle to segregate duties or provide independent verification. Statistics show that
smaller companies, those with fewer than 100 employees, are at higher risk for employee
theft, with a median loss of $147,000, which can pose a significant threat to their
existence.