Client Embezzlement: Minimizing the CPA's Liability
How often have you seen these headlines?
"74 year-old bookkeeper pleads guilty to charges that she helped embezzled $1.2 million from her synagogue where she worked for almost 20 years."
"Treasurer and one of the founders of the Area Youth Athletic Association pleads guilty to charges that he embezzled over $475,000 during the past 10 years"
"Bookkeeper pleads guilty to embezzling over $950,000 from a local family owned and operated construction company."
"Long time trusted employee bookkeeper pleads guilty to embezzling from a local chain of fabric stores over $650,000 which she used to purchase prescription medications for her dying spouse"
While these and other headlines are of great value to the news media, they can be a significant embarrassment to the certified public accountant providing attest or other services to these smaller businesses and non-profit organizations.
More often than not, clients believe that their outside CPA should have detected the embezzlement. Client allegations such as:
- During the annual audit of their company, the CPA should have discovered the forgery perpetrated by the controller through a detailed review of the company's bank statement and by examining the handwriting on each of the cancelled checks.
- The CPA who provided annual review services for their 20 year non-profit client should have detected the embezzlement perpetrated by the executive director by reviewing the organization's bank statements and credit card statements.
- The CPA who prepared compiled financials, payroll and corporate tax returns for their client of 15 years should have discovered the bookkeeper's embezzlement by reviewing each of the cancelled checks from the bank.
In every one of these cases, the client is demanding reimbursement from their CPA for, at a minimum, their amount of the embezzled funds.
CAMICO, one of the leading providers of malpractice insurance coverage for the CPA profession, recently reported that claims against CPAs exceeding $150,000, resulting from defalcations within the client organization, have been increasing steadily since the year 2000, both in severity and frequency. Furthermore, CAMICO reports that of the total fraud claims by engagement, 36% result from audit engagements, while 43% of the fraud claims result from review, compilation, tax and accounting service engagements.
Studies have proven time and again that one's personal enrichment, through the deliberate misuse or misapplication of the employing organization's resources or assets, is made possible through a lack of an effective internal control environment. Organizations, in particular, the smaller to mid-size businesses and non-profit organizations, driven by a strategy to minimize costs, are susceptible to a weak internal control environment, and, thus, vulnerable to employee fraud, often perpetrated by long time, trusted employees.
How then can CPAs minimize uninformed client perceptions such as:
- CPAs are held to very high standards and, therefore, should uncover fraud.
- The purpose of an audit is to uncover any type of fraud, regardless of the type of audit done.
- A CPA, who is hired to compile or review a company's financial statements, but not to do an audit, is still responsible for detecting fraud or wrongdoing.
In order to minimize our potential liability resulting from client employee wrongdoing, we need to educate our clients about the value of internal controls and other ethical protocols. We must stress that the costs of employee fraud can never be eliminated but can be mitigated through a program of fraud prevention and deterrence strategies. Following is a list of internal control suggestions which I have found most useful in educating smaller to mid-size business and non-profit clients:
- HIRING PROCEDURES - Conduct background checks on all permanent and temporary personnel. Request and thoroughly check references and scrutinize all dates and time gaps in their resume.
- FIDELITY BONDS - Have all employees with access to cash or employed in financial functions bonded. Non-profit organizations utilizing volunteer personnel in cash or other financial functions should likewise be bonded. It may be worthwhile to obtain a blanket fidelity bond to cover all employees.
- BANK STATEMENTS - have all bank statements mailed direct to the company owner-manager or non-profit audit committee member, preferably to their home address. The owner-manager or audit committee member should open the statement, perform an initial review of all bank statement entries and carefully scrutinize each cancelled check. The bank statements should then be reconciled by an individual without check issuance authority. It is the account holder's responsibility to ensure that bank statements are received, reconciled and reviewed for forged or altered checks (these may be imaged with the statement or researched further online).
- CREDIT CARD STATEMENTS – Organizations are using credit cards to a greater extent in their daily operations. Credit cards are being used not only for travel and entertainment needs, but also for purchasing technology equipment, supplies and publications. Therefore, credit card statements, like bank statements, should be mailed direct to the owner-manager or non-profit audit committee member for review of each line item charge. Prior to payment, each line item charge should be supported by an original receipt.
- CHECK REQUESTS – All check requests should require original vendor invoices, purchase order and receiving reports with agreement as to quantities, brands, product descriptions and/or services requested. All should be stamped "paid" and marked with the related check number.
- ACCOUNTS RECEIVABLE – Have someone not involved in making the bank deposit or accounts receivable bookkeeping open the daily mail, count the cash and check amounts received, and report those totals to the owner-manager or other appropriate person, who compares the reported amount to the amount actually deposited. For organizations with a significant volume of transactions, consider the use of a lock box.
- ACCOUNT RECONCILIATIONS - In addition to monthly bank reconciliations noted above, require that accounts receivable and accounts payable be reconciled monthly with all exceptions cleared and reviewed by the owner-manager or non-profit audit committee member. These are a minimum: depending on the client, staffing levels, and fungibility of the assets; all balance sheet accounts should be reconciled if the cost: benefit is justified.
- AUTHORIZATION AND ACESS CONTROLS – Restrict access to the vendor master file records. Someone independent of the buying and payment processing function should review all new supplier entries to include a telephone call to the new supplier verifying name, address and federal tax identification number.
- AUTHORIZATION AND ACESS CONTROLS - These controls are designed to ensure that only appropriate employees can enter into transactions or have access to organization assets, documents and records. Examples include password protection of computer files, authorization limits on check signing, dual custody of cash receipts or cash on hand, physical safeguards on all assets susceptible to theft such as vaults for cash and security measures for inventory, and physical controls over organization documents and records such as storing checks and invoices in locked cabinets.
- MANDATORY VACATIONS - Require mandatory vacations for all personnel in accounting, human resources and cash handling functions. Vacations should be at least one to two weeks long at the end of an accounting cycle. Cross train employees so that someone else does their job during the vacation.
In addition to implementing and/or strengthening internal control procedures previously described, we need to also educate our clients as to changes in employee behavior. Although it is difficult, if not impossible, to characterize employees who will steal, some of the red flags to identify embezzlers include substance abuse, gambling, change in lifestyle, extra-marital affairs, living beyond one's means, possessiveness of work, high personal debts, high medical bills, peer pressures, or, simply, dissatisfaction with work.
In summary, if we wish to minimize client misconceptions about the CPA's role in detecting fraud within our client's own organization, we must emphasize to our clients the value of a program of fraud prevention and detection strategies and assist them in tailoring programs practical to their needs. As Frank Abagnole, Special Investigator to the FBI stated, "If you make it easy for people to steal from you, they will." However, as Benjamin Franklin stated back in 1736, "An ounce of prevention is worth a pound of cure."