When the Controls are Away, There is a High Price to Pay

In accounting, we are taught many things that are set in stone. Debits on the left and credits on the right. Assets equal liabilities plus owners’ equity. We are also taught that there are certain things that are considered “shoulds” in accounting:

Revenue should exceed expenses.

A company should have positive cash flow.

There should be controls in place to safeguard a company’s assets.

This last item, controls, is the one “should” that seems to be still overlooked today, and it can cost a company dearly.

In the August 2014 edition of the Journal of Accountancy, there is an article called “Lessons from an $8 million dollar fraud”. The article discusses a former accounting manager at a large financial services organization who is serving a 97-month sentence for embezzling nearly $8.5 million dollars in just over four years.

The manager was able to manipulate a system and a company that lacked a strong internal control process and the resources to apply the necessary controls. He became an expert in the company’s ERP system during a corporate changeover and by accident, he and another co-worker were given the ability to request as well as approve checks.

This alone breaks the cardinal rule of segregation of duties. Although the department was small, there should have been adequate controls in place, even if it meant delegating someone from another department as a co-approver.

This would have required a second set of eyes in the process and created a major deterrent for any wrongdoing. Along with no segregation of duties, the employees knew and frequently used each other’s login credentials – making it even easier for the manager to cover his tracks.

Changing passwords can seem inconvenient, but it is critical to the security and integrity of any system, let alone an accounting/ERP system. After reading this article, I now look at the “change password and keep it secret” emails from my IT department in a whole different light.

In addition to the issues above, there are two critical areas that this article brings to the forefront – the lack of resources to manage/reconcile accounts and relying too much on an ERP system for compliance and risk mitigation.

Let’s look first at the lack of resources, in this case, technology that I believe helped play a key role in allowing this activity to go on for as long as it did.

The employee made sure to bury his bogus vendor payments in accounts “that had a lot of reconciliation activity” with “thousands of journal entries and billions of dollars of transactions”. If there had been a reconciliation tool in place with proper workflow, this activity would have had a higher chance of getting detected. By implementing a technology-based solution, the company would have had visibility into what specifically made up the account balances. Supporting documentation would have been required, and if that documentation was missing, it would have triggered a manager to become more involved in the process.

The company could have used transaction matching to help sift through those thousands of records to help determine what might have been out of place. There are solutions with matching engines that can run through hundreds of thousands of records in no time, making quick work of the data along with supplying this information directly into the reconciliation itself.

The accounting manager was tasked with reconciling and recording Canadian investment income into the US books. He used this access to manipulate the books by weakening the Canadian dollar via the exchange rates. If there had been a system in place that automatically imported not only account balances and transactional detail but the accurate exchange rates, everything would have been reflected correctly, making this step almost impossible.

One other critical oversight made by the company, in my opinion, was to rely on their ERP system for reconciliations as opposed to a balance sheet account reconciliation software platform. Many companies think that “our ERP does the reconciliations for us”. That is not the case.

Let’s look at the steps this manager took to commit the fraud. He entered a check request into the ERP payables subledger. He then processed the request for payment, which allowed the transaction to post to the general ledger. The payment process also recorded the expense and reduction in cash.

From an ERP system perspective, everything was correct in that all systems were in balance. What the ERP failed to do was to validate that the balance was correct and appropriate. In no way would an ERP system have done this step, however there is software available that would have provided the company a platform for explanations and documentation to support the balance and transactions. By implementing a proper reconciliation tool and process, management could have been made aware of the issue and action could have been taken much sooner.

When reading the article you will see that there were several other factors involved in this scheme, all of which went unnoticed. No system is 100% foolproof – that’s why a combination of best practices and a market leading software solution can provide an extra layer of security and comfort around the accounting operations of any organization. It is a small price to pay compared to the millions of dollars companies have lost. I am amazed that this fraud went undetected for as long as it did, but then again, when the controls are away……..

In accounting, we are taught many things that are set in stone. Debits on the left and credits on the right. Assets equal liabilities plus owners’ equity. We are also taught that there are certain things that are considered “shoulds” in accounting:

Revenue should exceed expenses.

A company should have positive cash flow.

There should be controls in place to safeguard a company’s assets.

This last item, controls, is the one “should” that seems to be still overlooked today, and it can cost a company dearly.

In the August 2014 edition of the Journal of Accountancy, there is an article called “Lessons from an $8 million dollar fraud”. The article discusses a former accounting manager at a large financial services organization who is serving a 97-month sentence for embezzling nearly $8.5 million dollars in just over four years.

The manager was able to manipulate a system and a company that lacked a strong internal control process and the resources to apply the necessary controls. He became an expert in the company’s ERP system during a corporate changeover and by accident, he and another co-worker were given the ability to request as well as approve checks.

This alone breaks the cardinal rule of segregation of duties. Although the department was small, there should have been adequate controls in place, even if it meant delegating someone from another department as a co-approver.

This would have required a second set of eyes in the process and created a major deterrent for any wrongdoing. Along with no segregation of duties, the employees knew and frequently used each other’s login credentials – making it even easier for the manager to cover his tracks.

Changing passwords can seem inconvenient, but it is critical to the security and integrity of any system, let alone an accounting/ERP system. After reading this article, I now look at the “change password and keep it secret” emails from my IT department in a whole different light.

In addition to the issues above, there are two critical areas that this article brings to the forefront – the lack of resources to manage/reconcile accounts and relying too much on an ERP system for compliance and risk mitigation.

Let’s look first at the lack of resources, in this case, technology that I believe helped play a key role in allowing this activity to go on for as long as it did.

The employee made sure to bury his bogus vendor payments in accounts “that had a lot of reconciliation activity” with “thousands of journal entries and billions of dollars of transactions”. If there had been a reconciliation tool in place with proper workflow, this activity would have had a higher chance of getting detected. By implementing a technology-based solution, the company would have had visibility into what specifically made up the account balances. Supporting documentation would have been required, and if that documentation was missing, it would have triggered a manager to become more involved in the process.

The company could have used transaction matching to help sift through those thousands of records to help determine what might have been out of place. There are solutions with matching engines that can run through hundreds of thousands of records in no time, making quick work of the data along with supplying this information directly into the reconciliation itself.

The accounting manager was tasked with reconciling and recording Canadian investment income into the US books. He used this access to manipulate the books by weakening the Canadian dollar via the exchange rates. If there had been a system in place that automatically imported not only account balances and transactional detail but the accurate exchange rates, everything would have been reflected correctly, making this step almost impossible.

One other critical oversight made by the company, in my opinion, was to rely on their ERP system for reconciliations as opposed to a balance sheet account reconciliation software platform. Many companies think that “our ERP does the reconciliations for us”. That is not the case.

Let’s look at the steps this manager took to commit the fraud. He entered a check request into the ERP payables subledger. He then processed the request for payment, which allowed the transaction to post to the general ledger. The payment process also recorded the expense and reduction in cash.

From an ERP system perspective, everything was correct in that all systems were in balance. What the ERP failed to do was to validate that the balance was correct and appropriate. In no way would an ERP system have done this step, however there is software available that would have provided the company a platform for explanations and documentation to support the balance and transactions. By implementing a proper reconciliation tool and process, management could have been made aware of the issue and action could have been taken much sooner.

When reading the article you will see that there were several other factors involved in this scheme, all of which went unnoticed. No system is 100% foolproof – that’s why a combination of best practices and a market leading software solution can provide an extra layer of security and comfort around the accounting operations of any organization. It is a small price to pay compared to the millions of dollars companies have lost. I am amazed that this fraud went undetected for as long as it did, but then again, when the controls are away……..