A publication of the Connecticut Society of Certified Public Accountants

ConnecticutCPAConnecticutCPASept/Oct 2010 • Vol. 51 Issue 5

www.cscpa.org

advocacy • community • educat ion

Fraud 101 and BeyondCSCPA member Steve Pedneault authors books drawing on his career asa forensic accountant page 6

advocacy • communi ty • educat ion6

The economy was booming … Notreally, but doing slightly better thantoday’s, with the late Ronald Reaganleading our country. Personal comput-ers were entering the workplace, withLotus 1-2-3 and WordPerfect automat-ing ledgers and making typewritersantiquated. The state-of-the-art desk-top was an IBM 286 with a 10 MB harddrive and a 5¼-inch floppy drive.

Most businesses were still maintainingtheir bookkeeping manually, using OneWrite checkbooks and green columnedpaper. A software package called OneWrite Plus, written to automate themanual One Write system, was com-peting with Peachtree for marketshare, running on DOS (DiskOperating System). Monitors displayedin color … one color, that is, and it was

amber, green, or blue. A special moni-tor and video card were required to dis-play in true color (RBG).

Monthly bank statements werereceived in the mail, along with all theactual cancelled checks. Oncereceived, the checks would have to besorted numerically by check number(and not by amount, as a few of mybookkeepers thought) for ease of rec-onciling and to ensure all the checkswere in fact returned. Credit card mer-chant statements were also mailed outmonthly, identifying not only the activi-ty processed during the month but alsothe credit card numbers associatedwith each transaction. Deposit itemshad to be listed separately on thedeposit slip, or at least include anadding machine tape stapled to the

slip, and copies were made of every-thing for the files.

At the end of each month, bank recon-ciliations would be completed, compar-ing the checkbook activity to the actualcancelled checks (and not the printedcheck information provided by the bankon the statement), frequently with thereconciliation completed right on theback of the bank statements them-selves. Recurring entries would berecorded, adjustments posted, andonce the balances were finalized,reports were generated and the periodwas closed – really closed, hard closed.With that, the past accounting periodscould no longer be accessed or adjust-ed, and all subsequent activity wouldhave to be posted in the current months.

Internal Controls 2010:

Should We Head Back to Basics?

By Stephen A. Pedneault, CPA, CFE, CFF, FCPA, Forensic Accounting Services, LLC

Circa 1988 – the beginning of my accounting career.

advocacy • communi ty • educat ion 7

So what changed?

Technology, banking, software, evenwhere and how bookkeeping is com-pleted has changed over the past 20years, with changes occurring evenmore rapidly in the past 10. The returnof cancelled checks was phased out byfinancial institutions and replaced withimages, then front images only, andultimately no images at all. In today’sbanking environment, the images areoften available through the bank’sonline system to be viewed or printedas needed. Even the bank statementsthemselves with some financial institu-tions have been phased out, no longerprovided via paper (or provided at afee), but available any time online.

Deposits can be made today withoutever leaving your desk, scanning thedeposit items and transmitting images(in some cases the MICR line only) ofthe deposit items. The bank nevertakes possession of the deposit items,only a file containing the images.

Mailed monthly credit card merchantstatements have become close toextinct, replaced with on-demandonline access for viewing and printing,with the individual credit card numbersreplaced with transaction numbers ifprovided at all.

Most software packages used todaynever require any monthly close, andthe ones that do have provisions to re-open a closed period. Packages com-monly used like QuickBooks simplycontinue in perpetuity, from day to day,to week, and to year. Today’s account-ing systems could be located on anemployee’s hard drive or laptop at theorganization, or at their house, on theorganization’s file server, or simply outon the Internet (“cloud computing”),where the organization’s most sensi-tive and confidential information ishoused on some server in someunknown area of the world being main-tained by unknown individuals. Thesame holds true for many organiza-tions’ payroll systems.

So where are we heading?

Today’s business climate, in responseto the declined economy, is tougherthan ever. Streamlining, staff reduc-tions, and efficiencies are all keythemes to surviving and maintaining apositive cash flow. With these changescome less segregation of duties andduties once performed no longer beingcompleted due to reduced capacity.

Opportunities to divert funds are beingcreated without thought of the potentialrisks, and coupled with the high levelsof stress, personal financial pressure,low employee morale, and longer workhours, the requisite rationalization canmaterialize, leading an otherwise hon-est employee to “borrow” funds fromhis or her employer.

Despite the downsizing and otherchanges being implemented, it is criti-cal that basic-level internal controls areimplemented and maintained to mini-mize every organization’s risk foremployee fraud and theft.

Complacency kills.

In many recent cases, there appears tobe a trend where good internal controls

On This Issue’s Cover

Stephen A. Pedneault, CPA, CFE, CFF, FCPA is theowner of Forensic Accounting Services, LLC inGlastonbury. In recent years, Pedneault has taken hisknowledge in forensic accounting and fraud to the mass-es, writing three books on the subject. Fraud 101:Techniques and Strategies for Understanding Fraud waspublished in September 2009, Anatomy of a FraudInvestigation in February 2010, and Preventing andDetecting Employee Theft and Embezzlement: APractical Guide was published in June 2010, all by Wiley.

Pedneault, the 2010-2011 CSCPA secretary, is alsoactive on the CSCPA Valuation, Forensic, and LitigationSupport Group and is an adjunct professor for theUniversity of Connecticut master’s program.

Opportunities to divert funds are being createdwithout thought of the potential risks.

(continued on next page)

CSCPA board member and author Steve Pedneault shows one ofhis new books to CSCPA President Marcia Marien.

advocacy • communi ty • educat ion8

existed, but for some reason the individ-uals responsible for performing thesecontrols stopped doing their reviews,checks, and balances. It has not beenuncommon for owners or executives torationalize their abandoning of perform-ing key controls and reviews becausethey have “trusted” individuals workingfor them. Unfortunately, statistically,these “trusted” employees are often theones who steal from the organization –and in large amounts over long periodsof time.

In one recent case the controller was“trusted” to perform virtually everyfinancial process within the organiza-tion. Little to no oversight was everimplemented over the controller’sactivity. Year after year, the controllerhandled all aspects of the organiza-tion’s finances.

One day an accidental discoveryrevealed the controller inappropriatelyused organization funds for personalpurposes. A formal investigation into thecontroller’s past activity and transac-tions was initiated and, as a result, mul-tiple diversion schemes were identifiedleading back several years, all of whichshould have been detected within thefirst month the controller started inap-propriately using the funds. In the endthe “trusted” controller diverted morethan $500,000 from the organization.

Basic internal controls should haveprevented this or, at a minimum, wouldhave detected the controller’s activitywithin the very first month. All of thepersonal activity was easily identifiableon the monthly bank statements.Someone independent of the con-troller, ideally the primary check signerreceiving and reviewing the organiza-tion’s monthly bank statement, wouldhave detected the schemes early onand minimized the loss.

In another case, an employee divertedpayments received from customers,concealing the thefts by simply postingpayments to customers’ accounts with-in accounts receivable. Once the bal-ances were “paid,” no further follow-upwas performed on the balances, mini-mizing any risk of detection.

No independent reviews or reconcilia-tions were being performed to comparewhat was received each day to whatwas posted as payments daily, andalso to the actual bank deposits for thesame day. This three-way reconciliationcompleted on a daily and monthly basiswould have identified if differencesexisted (almost daily) between pay-ments recorded within accounts receiv-able versus the actual bank deposits.

No copies or images were maintainedof the customer payments, preventinganyone from determining the composi-tion of each deposit and further limitingany risk of detection, as there were nomeans to compare the customers cred-ited with payments to the actual cus-

tomer checks that were deposited. Anindependent review of the depositbatch of payment copies compared tothe actual bank deposit would havealso revealed the theft.

Limitations due to available recordsprevented us from determining if theemployee had been stealing for weeks,months, years, or all the way back towhen they were hired 15 years ago.

What can be done?

So many instances of employeeembezzlement could have been eitherprevented or detected had basic man-ual controls and procedures beenimplemented and followed. Basic con-trols would include simple measureslike the primary check signer directlyreceiving the actual monthly bankstatement and reviewing it for reason-ableness before it is passed along forsomeone to reconcile.

Every employer, regardless of size andindustry, needs to objectively evaluatetheir financial policies, internal con-trols, and accounting procedures todetermine which basic controls arenecessary and appropriate. Basic con-trols would include the controls recom-mended back when deposits weremanually reconciled and physicallytaken to the bank, when checks werehand-written and hand-signed forevery disbursement, and when payrollwas distributed to each employee inperson, after careful review to ensureno individual employee was paid (typi-cally in cash) more than they were enti-tled to receive.

Some basic controls to consider are:

• Each day’s receipts should beprocessed intact daily as a batch, withcopies made to support the day’sreceipts. A report identifying the postedpayments should be generated and,together with the bank deposit slip anddeposit receipt, should complete eachday’s batch.

Offers in Compromise

IRS & DRS Representation

Tax Litigation

Admitted US Tax Court BarUS District Court Bar

EILEEN C. SEAMANAttorney at LawGreenwich, CT

203-863-9000Please call for a

complimentary consultation

taxesandlaw.com

The U.S. Treasury Dept. has confirmed Atty. Seaman’s selection

as the CT Alternate Member of the TaxpayerAdvocacy Panel, an advisory group

to the IRS.

paid advertisement

Internal Controls 2010 (continued from previous page)

• Someone independent of processingreceipts should review and reconcileeach batch for reasonableness. Forspace consideration, each day’s batchcan then be scanned and maintainedelectronically.

• Supporting invoices and receiptsshould accompany every check for sign-ing. Each check should be manuallysigned and then mailed out directly bythe signer, and not returned to the indi-vidual who generated the checks.Signature stamps need to be eliminated.

• Petty cash accounts need to be con-trolled and reconciled by someoneother than the person responsible formaintaining the accounts. The sameholds true for any client fund accounts,trust funds, or any instances wherefunds are maintained on behalf of oth-ers, ensuring an independent review iscompleted regularly.

• Individuals with access to add,change, and terminate employeeswithin payroll should be separate fromemployees who process payroll.

• Payroll should be reviewed beforeand after transmitting for processing,whether internally prepared or througha payroll service. The payroll packageshould be received directly andreviewed by someone other than theindividual who processes payroll.

• Monthly bank statements should bereceived in the mail and includeimages of the cancelled checks, unlessthe fee to provide the images provescost-prohibitive. Reviewing the imagesin many cases would reveal unautho-rized disbursements and without theimages, other controls will be needed.

Talk to your clients.

Embezzlements are occurring atincreasing and alarming rates.Regardless of the level of service youprovide, you need to speak with yourclients about the risks that may exist

advocacy • communi ty • educat ion 9

paid advertisement

“Trusted” employees are often the ones who steal from the organization – and inlarge amounts over long periods of time.

(continued on next page)

advocacy • communi ty • educat ion10

within their respective organizationsand ask them what they are doing tominimize their risks.

For those entities that are audited, ourprofessional standards require theauditor to review and assess theclient’s systems of internal controls todetermine how much reliance can beplaced on them, as well as identify andreport any deficiencies and materialweaknesses. What about non-materialweaknesses that are identified?

For all the other clients who aren’taudited, no such formal requirementsexist. Arguably these clients may pos-sess the greatest risks, as there are norequirements for anyone internal orexternal to the organization to objec-tively review their controls and proce-dures. They may also pose the great-est risk to the accounting firm from a lit-igation perspective.

Several years ago while working for aregional firm we identified this veryissue, and decided as a firm to take theproactive initiative to speak with all ofour non-audit clients. Letters were sentto each client alerting them to the risksof employee theft and embezzlement,and internal newsletter articles weredirected toward these issues. In somecases we met with the clients to dis-cuss this and followed up with a lettersummarizing our meeting. Many clientsexpressed their appreciation for edu-cating them and causing them tochange how they ran things. The goalwas twofold: educate the non-auditclients and protect the firm as best aspossible from potential future litigation.

Clients need to hear and understandthat individuals in positions of “trust”are frequently the same individualswho embezzle large amounts offunds. “Trust” has no place within

properly designed internal controlsand procedures. Appropriate andpractical controls should rely uponpositions, levels of responsibility andareas of opportunity, and should notbe subjectively based upon who cur-rently fills a position.

Where do we go from here?

When evaluating internal controls,whether they are your own organiza-tion’s or those of your clients, considerbasic manual controls that were pres-ent in most accounting departmentsmore than 20 years ago during theperiod before computers and the inter-net dominated most accounting areas.In many cases, easily identifiable basiclevel manual controls can minimize therisk of employee theft and embezzle-ment within any organization, but onlyif the controls are actually performedonce implemented. And as always,remain vigilant.

Stephen Pedneault,CPA, CFE, CFF, FCPAis the principal ofForensic AccountingServices, LLC inGlastonbury, special-izing only in forensic

accounting, employee fraud, and litiga-tion support matters. Pedneault is aCertified Fraud Examiner (CFE) andCertified in Financial Forensics (CFF).He can be reached via email at Steve@forensicaccountingservices.com.To find more information about Forensic Accounting Services, visit www.forensicaccountingservices.com.

Pedneault’s new book Preventingand Detecting Employee Theft andEmbezzlement: A Practical Guide(Wiley) covers internal controls andprocedures as well as all the finan-cial areas typically found in mostorganizations, from hiring throughmonth-end processing.

paid advertisement

Internal Controls 2010 (continued from previous page)