Internal controls are important to prevent error and ensure integrity of accounting records as well as to reduce the risk of misappropriation of assets (fraud). A good system of internal controls protects both the firm and its employees. Designing such a system requires one to consider the resources of the firm and the costs/benefits of any particular control procedure. Operating procedures and ongoing monitoring ensure that the system is functioning properly and that inadvertent errors are reduced. Segregation of duties reduces the risk of misappropriation by an individual.
An examination of fraud schemes should assist the reader to understand the role of internal controls in an accounting system. And before you say that law firms don't have problems with fraud, let me say that phrase has cost law firms, partners and clients a great deal of money. Law firms may be closely held enterprises with active on-site professional owners, but that is not an assurance of problem-free economic activity. Law firms have the additional exposure in that they are also responsible for funds that belong to their clients. Fraud experts say that given the right fact situation, anyone can find themselves in a financial corner where the only apparent course of action is theft. It is impossible to eliminate the potential for fraud. One can only manage the risk reducing the exposure.
The following schemes have actually happened. They will happen again if the conditions that led to their occurrence are permitted to continue or recur.
Ghost employees -- The employment of fictitious personnel. This scheme typically requires a larger organization where all employees are not universally known. However, in smaller organizations ghosts can appear in the casual or temporary employee area. Temporary employees may not exist, or actual temporary employees are paid for work that is never done. Over time the dollar losses can grow quite large. Remember that the losses include not only the wages paid but employer payroll taxes and other payroll related expenses as well.
Employee tax withholdings -- Few people check their pay stubs to ensure that it is accurate, outside a casual check to see if overtime, vacation or holiday pay is correctly listed. Even fewer will check to see if the year-to-date (YTD) accumulations are accurate or that year-end statements correspond to the final pay stub. The impropriety occurs when the withholdings are reported to the tax collector. A large group of individuals have their withholdings decreased a very small amount from what was actually taken from their paycheck. The perpetrator adjusts his or her reported withholdings upward by the total of the accumulated downward adjustments of others. This can accumulate significant refunds for the perpetrator. Typed or computer-printed payroll checks and year-end statements should not offer significant comfort to the wary. Unfortunately, computer-aided fraud is possible and is a growing problem.
Double payroll -- Writing more than one payroll check to the same employee. This will most likely occur when a corrected paycheck is required.
Unauthorized raises -- Many law firms rely on the check signer's familiarity with the personnel and their pay rates to verify amounts on checks. Unfortunately, this is a danger because most check signers will not notice small changes in net pay. If they do, they are easily explained as a change in withholding.
Direct deposit, while a convenience and safety benefit for employees, can increase the chance that the above schemes take place. There are no checks to sign. Often there is no equivalent review of outside or automated payroll that would correspond to the review when a check is signed. That said, direct deposit is a more secure and employer friendly means of handling payroll. Your CPA firm can help you modify internal contacts to accommodate using outside payroll companies and direct deposit.
 Accounts Payable
Dummy companies -- Invoices for fictitious products or services from companies that are only a sham. All you need is a few hundred dollars' investment to have the computing and printing power to create your own fictitious operation. The volume of supplies and services any organization requires to function is incredible. Consider also the corporate refugees who start their own businesses after being made redundant at their former employers. The marketplace is crowded with small vendors. No check signer can be aware of every vendor relationship in the organization.
Legitimate companies--bad invoices -- Real companies controlled by the perpetrator or a related person generate either false or inflated invoices. This compounds the above problem because now a real business is involved. The amounts may be very small at first, but they will grow over time and the accumulated amount can be substantial.
Double payment -- Repeated payment of the same legitimate invoices or the alteration of legitimate invoices to create a second, slightly different invoice that is then presented for payment. Having more than one check signer can aid this fraud. The invoice can be paid in two different batches of checks. Each is then presented, reviewed and signed by a different check signer. Another double-payment scheme is to pay the invoice and then pay the statement separately.
 Accounts Receivable
Diverted payments -- Payments by clients diverted from the firm's official account to a special "unofficial" account. It's easy for the bookkeeper or a partner to go to a bank and open a new "firm" account. Payments from clients are then endorsed to the firm and deposited into this special account. Checks are then drawn on the special account for personal use.
Fraud in the purchasing area often takes the form of kickbacks. The following schemes involve collusion with someone inside the law firm. This never used to be a problem with law firms until the need to reduce costs sent more and more law firms to competitively bid for supplies, services and purchases.
Manipulated bidding process -- Preferred bidders are given inside information to aid the preparation of their own proposals. Such information may include knowledge of other bidders' proposals or the advance knowledge of the relative importance of bid components.
Rigged specifications -- Specifications and delivery can be designed so that the number of potential bidders is reduced. Advance knowledge may be used to inform the preferred bidder so that they are in a position to meet the "unreasonable" demands.
Phony competitive bidding -- Multiple bids may involve phony competitors or a controlled group of companies where arm's length competition is lacking.
The following are signs that either fraud is taking place or that the conditions are right for thefts to occur. One must be careful to examine the entire fact situation, because some of the following are only pieces of a puzzle that must be completely assembled in order to determine that something is awry.
Lack of good accounting detail -- This includes missing or vague explanations for journal entries and adjustments, insufficient or missing original documentation (receipts, invoices and delivery slips).
No time off -- Unwillingness of employees to take vacations is dangerous to the well being of the employee and potentially the well being of the organization. Vacations are important in internal control systems of any enterprise. Employees who refuse or never get around to taking vacations may be afraid to be away from their work lest someone detect the improprieties taking place. Less ominous is also the fact that everyone needs to rejuvenate. Failure to do so often results in burnout, lower productivity, increased errors, and even poor client relations.
Lack of segregation of duties -- This is Accounting 101's first basic rule. Allowing one individual to control an entire process opens the firm and the employee to risk. The firm has no means to detect the impropriety. The employee has very little defense if accused.
No or insufficient checkpoints -- This is basic rule number two. If there are no control points, then errors will go undetected.
No policies on nepotism or related party transactions -- There are many small law firms with multiple family members. Some are even family law firms. There are benefits and risks in any organization. Conventional wisdom is consistent in its position that nepotism increases the risk to fraud. Related party transactions exist when there lacks an arm's length relationship between organizations. In today's business marketplace, this is more common than one might initially expect. Generally, competition and propriety are best achieved with arm's length relationships. Again, the risks cut both ways against both the organization and the individuals.
Limited involvement of outside CPA -- Your outside accountant is the small business person's professional resource to ensure that operations are as they should be. Firms who save on overhead expenses by limiting or avoiding the use of an outside CPA are probably losing more valuable guidance than they are saving in professional fees.
Inattention to checks -- Checks made out to "cash," checks lacking appropriate endorsement or having second endorsement, and post-dated checks are all signs that the accounting system is lax. Such invitations open the door for theft to occur.
Cash transactions -- There is a significant underground economy in the United States. Cash transactions are almost impossible to trace. However, given the increasing use of debit/credit/smart cards, cash is becoming more of a rarity. Thus, significant use of cash is more suspect.
Pipeline adjustments -- The business management of law practice is fairly straightforward. Recurring or unusual write-offs of unbilled time or receivables and adjustments to client accounts are a signal that something is amiss.
Understaffed accounting department -- Understaffing leads to errors, lax procedures to keep current, exceptions to procedures to handle "emergencies" and a general inability to really look at what is transpiring. Understaffed accounting operations become paper pushers trying to stay afloat and are not able to analyze or look at a broader picture of propriety.
Corporate credit cards -- Corporate and small business perk number one is the company credit card. This is giving purchasing authority to each and every card holder. Heaped on top is the burden of reconciling the credit card statements and attempting to collect for personal charges.
No competitive bidding -- Vendor relationships are not being tested against the market to ensure that appropriate value is being rendered.
Unusual behavior -- Sudden changes in behavior or behavior that may show an abnormal dependency. Fraud is often a way out for people in trouble. Reading the signs of people in trouble is not easy. You must be perceptive and careful to have the complete picture.
Inconsistent lifestyles -- A staff person's manner of dress, mode of transportation and general lifestyle were inconsistent with income and family situation. It was something that occurred suddenly and roughly in sync with a subtle but significant and unexplained change in company performance. Investigation confirmed a diversion of funds.
Clearly most people are honest as a point of personal integrity. However, when fraud news hits the streets there is consistent reaction. How could this have happened? Why didn't someone discover it sooner? It is this combination of shock that it occurred, denial that it could have happened to me by him or her, and anger that some third party did not discover the act earlier that confounds all of us.
Surprisingly, it is not necessary to bring in the surveillance cameras and security guards or undertake annual audits. Probably the most important safeguard is common sense and taking an inquisitive and active interest in your law firm and its employees. Specifically, one must work to remove opportunities for theft. Simply bonding those who have custody of assets or signature authority on accounts is a cost effective means to limit risk.
No business of any size should forgo the use of a good outside CPA. Audit services may be the first use that comes to mind. In some circumstances, an audit engagement may make sense. However, audits are not designed to discover fraud. Many firms would do well to engage their accountant to examine their system of internal controls, recommend improvements and to periodically monitor compliance. In addition, such services should include:
1. A surprise, once-a-year inspection of the monthly bank statements before they are delivered to the firm;
2. Periodic direct receipt of the payroll control master for the CPA's review (this works well in smaller firms where the CPA is likely to know all of the employees and the appropriate levels of pay for their positions).
Good internal controls work to the benefit of the firm and the employees. Create processes that provide automatic checkpoints. Segregating duties yields such checkpoints and requires that collusion take place to perpetrate a fraud. In its most basic form you want to separate custody from reporting activities. Following are some basic processes. Each firm should work with its CPA to adapt processes that are consistent with its needs and size. The following is provided solely as an illustration and is not intended to be an exhaustive listing of best practices, nor will it be adequate in all situations.
For example, is this what happens when your clients pay for services? Does your firm's bookkeeper open the envelope, place the checks in a drawer until Friday, endorse the check, complete the deposit slip, go to the bank to make the weekly deposit, record the deposit in the general ledger, record the payment on the client's account card and at the end of the month reconcile the bank statement? Some of you are saying yes.
Ideally, a mail clerk should open the mail and make a list of all checks, indicating the payee, the amount, and the type of payment, if known. The checks should go to the cashier for preparation of the daily deposit. The remittance advices should go to the receivables clerk for recording against the client's account card. General accounting should record the cash receipts in the general ledger. The mail clerk's check list should go to the administrator to be compared to the deposit ticket and the batch totals for cash receipts and postings to client accounts. Monthly the deposit slip should be compared to the bank statement.
Similar processes should be developed for cash disbursements, client trust accounts and payroll. In addition, safeguards should be put in place for non-cash transactions such that diverted funds cannot be hidden with journal entry adjustments.
Check disbursements should be made only when there is an original invoice (never, never pay from a statement--ask for a copy of the invoice to be faxed if necessary). Invoices should have approval from the individual who received the goods or services and separate approval from an individual who is more senior than the individual making the request. The accounting personnel should make sure that there are no clerical errors on the invoice, that it is the original invoice (i.e., no prior payments have been made), and that the pricing is in accordance with any agreements or contracts. Payments should be scheduled to meet the vendors' terms and to take discounts and avoid penalties as is appropriate. It is helpful if the accounting department has a stamp that provides for signatures, account numbers, check numbers, and dates. Every invoice should be marked paid when the check is signed.
Most of the payroll-related schemes can be eliminated by using an outside payroll service. Using a payroll service is quite common. Over 63% of all law firms and up to 90% of law firms of over 100 lawyers use outside payroll services.1 All changes to the payroll should require a second reviewer's signature. This includes additions, deletions and changes of any kind (pay rate, bonus, overtime, status, withholdings). Have someone separate from the payroll function verify the current payroll against the prior payroll to ensure that only duly authorized changes were made. Distribution of payroll should be done by someone independent of the payroll process. Have any undelivered checks or deposit stubs returned for follow-up.
Fraud can occur in any organization. Sometimes it is intentional theft. Sometimes it is seen by the perpetrator as the only means out of a desperate situation. Simple basic attention and controls go a long way to remove the potential for fraud. They also make it likely that such activities or even simple errors are caught early, before they can become significant or embarrassing. Remember this rule: Fraud is committed by those you trust. Those you don't are either let go, put in low-risk positions or watched too carefully for the fraud to occur.
FOOTNOTES:Footnote 1. 1997 Compensation Systems in Private Law Firms Survey, Altman Weil Publications, Inc., Newtown Square, PA 19073.