Fraud, Internal Controls, and Cash

Why It Matters

One of Jennifer's fondest memories was visiting her grandparents' small country store when she was a child. She was impressed by how happy the customers seemed to be in the welcoming environment. While attending college, she decided that the college community needed a coffee/pastry shop where students and the local citizens could congregate, spend time together, and enjoy a coffee or other beverage, along with a pastry that Jennifer would buy from a local bakery. In a sense, she wanted to replicate the environment that people found in her grandparents' store.

After graduation, while she was in the planning stage, she asked her former accounting professor for advice on planning and operating a business since she had heard that the attrition rate for new businesses is quite high. The professor told her that one of the most important factors was the selection, hiring, and treatment of happy and productive personnel. The professor further stated that, with the right personnel, many problems that companies might face, such as fraud, theft, and the violation of the organization's internal control policies and principles, can be lessened.

To emphasize her point, the professor stated a statistic from the National Restaurant Association's 2016 Restaurant Operations Report that restaurant staff were responsible for an estimated 75% of inventory theft. This statistic led to the professor's final gem of wisdom for Jennifer: hire the right people, create a pleasant work environment, and also create an environment that does not tempt your personnel to consider fraudulent or felonious activities.

Source: OpenStax, https://openstax.org/books/principles-financial-accounting/pages/8-why-it-matters
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 License.

Analyze Fraud in the Accounting Workplace

In this chapter, one of the major issues examined is the concept of fraud. Fraud can be defined in many ways, but for the purposes of this course we define it as the act of intentionally deceiving a person or organization or misrepresenting a relationship in order to secure some type of benefit, either financial or nonfinancial. We initially discuss it in a broader sense and then concentrate on the issue of fraud as it relates to the accounting environment and profession.

Workplace fraud is typically detected by anonymous tips or by accident, so many companies use the fraud triangle to help in the analysis of workplace fraud. Donald Cressey, an American criminologist and sociologist, developed the fraud triangle to help explain why law-abiding citizens sometimes commit serious workplace-related crimes. He determined that people who embezzled money from banks were typically otherwise law-abiding citizens who came into a "non-sharable financial problem". A non-sharable financial problem is when a trusted individual has a financial issue or problem that he or she feels can't be shared. However, it is felt that the problem can be alleviated by surreptitiously violating the position of trust through some type of illegal response, such as embezzlement or other forms of misappropriation. The guilty party is typically able to rationalize the illegal action. Although they committed serious financial crimes, for many of them, it was their first offense.

The fraud triangle consists of three elements: incentive, opportunity, and rationalization (Figure 8.2). When an employee commits fraud, the elements of the fraud triangle provide assistance in understanding the employee's methods and rationale. Each of the elements needs to be present for workplace fraud to occur.

Figure 8.2 Fraud Triangle. The three components identified in the fraud triangle are perceived opportunity, incentive, and rationalization.

Perceived opportunity is when a potential fraudster thinks that the internal controls are weak or sees a way to override them. This is the area in which an accountant has the greatest ability to mitigate fraud, as the accountant can review and test internal controls to locate weaknesses. After identifying a weak, circumvented, or nonexistent internal control, management, along with the accountant, can implement stronger internal controls.

Rationalization is a way for the potential fraudster to internalize the concept that the fraudulent actions are acceptable. A typical fraudster finds ways to personally justify his or her illegal and unethical behavior. Using rationalization as a tool to locate or combat fraud is difficult, because the outward signs may be difficult to recognize.

Incentive (or pressure) is another element necessary for a person to commit fraud. The different types of pressure are typically found in (1) vices, such as gambling or drug use; (2) financial pressures, such as greed or living beyond their means; (3) work pressure, such as being unhappy with a job; and (4) other pressures, such as the desire to appear successful. Pressure may be more recognizable than rationalization, for instance, when coworkers seem to be living beyond their means or complain that they want to get even with their employer because of low pay or other perceived slights.

Typically, all three elements of the triangle must be in place for an employee to commit fraud, but companies usually focus on the opportunity aspect of mitigating fraud because, they can develop internal controls to manage the risk. The rationalization and pressure to commit fraud are harder to understand and identify. Many organizations may recognize that an employee may be under pressure, but many times the signs of pressure are missed.

Virtually all types of businesses can fall victim to fraudulent behavior. For example, there have been scams involving grain silos in Texas inflating their inventory, the sale of mixed oils labeled as olive oil across the globe, and the tens of billions of dollars that Bernie Madoff swindled out of investors and not-for-profits.

To demonstrate how a fraud can occur, let's examine a sample case in a little more detail. In 2015, a long-term employee of the SCICAP Federal Credit Union in Iowa was convicted of stealing over $2.7 million in cash over a 37-year period. The employee maintained two sets of financial records: one that provided customers with correct information as to how much money they had on deposit within their account, and a second set of books that, through a complex set of transactions, moved money out of customer accounts and into the employee's account as well as those of members of her family. To ensure that no other employee within the small credit union would have access to the duplicate set of books, the employee never took a vacation over the 37-year period, and she was the only employee with password-protected access to the system where the electronic records were stored.

There were, at least, two obvious violations of solid internal control principles in this case. The first was the failure to require more than one person to have access to the records, which the employee was able to maintain by not taking a vacation. Allowing the employee to not share the password-protected access was a second violation. If more than one employee had access to the system, the felonious employee probably would have been caught much earlier. What other potential failures in the internal control system might have been present? How does this example of fraud exhibit the three components of the fraud triangle?

Unfortunately, this is one of many examples that occur on a daily basis. In almost any city on almost any day, there are articles in local newspapers about a theft from a company by its employees. Although these thefts can involve assets such as inventory, most often, employee theft involves cash that the employee has access to as part of his or her day-to-day job.

Accountants, and other members of the management team, are in a good position to control the perceived opportunity side of the fraud triangle through good internal controls, which are policies and procedures used by management and accountants of a company to protect assets and maintain proper and efficient operations within a company with the intent to minimize fraud. An internal auditor is an employee of an organization whose job is to provide an independent and objective evaluation of the company's accounting and operational activities. Management typically reviews the recommendations and implements stronger internal controls.

Another important role is that of an external auditor, who generally works for an outside certified public accountant (CPA) firm or his or her own private practice and conducts audits and other assignments, such as reviews. Importantly, the external auditor is not an employee of the client. The external auditor prepares reports and then provides opinions as to whether or not the financial statements accurately reflect the financial conditions of the company, subject to generally accepted accounting principles (GAAP). External auditors can maintain their own practice, or they might be employed by national or regional firms.

Ethical Considerations

Internal Auditors and Their Code of Ethics

Internal auditors are employees of an organization who evaluate internal controls and other operational metrics, and then ethically report their findings to management. An internal auditor may be a Certified Internal Auditor (CIA), an accreditation granted by the Institute of Internal Auditors (IIA). The IIA defines internal auditing as "an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes".

Internal auditors have their own organizational code of ethics. According to the IIA, "the purpose of The Institute's Code of Ethics is to promote an ethical culture in the profession of internal auditing". Company management relies on a disciplined and truthful approach to reporting. The internal auditor is expected to keep confidential any received information, while reporting results in an objective fashion. Management trusts internal auditors to perform their work in a competent manner and with integrity, so that the company can make the best decisions moving forward.

One of the issues faced by any organization is that internal control systems can be overridden and can be ineffective if not followed by management or employees. The use of internal controls in both accounting and operations can reduce the risk of fraud. In the unfortunate event that an organization is a victim of fraud, the internal controls should provide tools that can be used to identify who is responsible for the fraud and provide evidence that can be used to prosecute the individual responsible for the fraud. This chapter discusses internal controls in the context of accounting and controlling for cash in a typical business setting. These examples are applicable to the other ways in which an organization may protect its assets and protect itself against fraud.

Define and Explain Internal Controls and Their Purpose within an Organization

Internal controls are the systems used by an organization to manage risk and diminish the occurrence of fraud. The internal control structure is made up of the control environment, the accounting system, and procedures called control activities. Several years ago, the Committee of Sponsoring Organizations (COSO), which is an independent, private-sector group whose five sponsoring organizations periodically identify and address specific accounting issues or projects, convened to address the issue of internal control deficiencies in the operations and accounting systems of organizations. They subsequently published a report that is known as COSO's Internal Control-Integrated Framework. The five components that they determined were necessary in an effective internal control system make up the components in the internal controls triangle shown in Figure 8.3.

Figure 8.3 The Internal Control Environment.

Here we address some of the practical aspects of internal control systems. The internal control system consists of the formal policies and procedures that do the following:

• ensure assets are properly used
• ensure that the accounting system is functioning properly
• monitor operations of the organization to ensure maximum efficiency
• ensure that assets are kept secure
• ensure that employees are in compliance with corporate policies
  

A properly designed and functioning internal control system will not eliminate the risk of loss, but it will reduce the risk.

Different organizations face different types of risk, but when internal control systems are lacking, the opportunity arises for fraud, misuse of the organization's assets, and employee or workplace corruption. Part of an accountant's function is to understand and assist in maintaining the internal control in the organization.

Link to Learning

https://www.theiia.org/en/?AZRedirect=True

See the Institute of Internal Auditors website to learn more about many of the professional functions of the internal auditor.

Internal control keeps the assets of a company safe and keeps the company from violating any laws, while fairly recording the financial activity of the company in the accounting records. Proper accounting records are used to create the financial statements that the owners use to evaluate the operations of a company, including all company and employee activities. Internal controls are more than just reviews of how items are recorded in the company's accounting records; they also include comparing the accounting records to the actual operations of the company.

For example, a movie theater earns most of its profits from the sale of popcorn and soda at the concession stand. The prices of the items sold at the concession stand are typically high, even though the costs of popcorn and soda are low. Internal controls allow the owners to ensure that their employees do not give away the profits by giving away sodas and popcorn.

If you were to go to the concession stand and ask for a cup of water, typically, the employee would give you a clear, small plastic cup called a courtesy cup. This internal control, the small plastic cup for nonpaying customers, helps align the accounting system and the theater's operations. A movie theater does not use a system to directly account for the sale of popcorn, soda, or ice used. Instead, it accounts for the containers. A point-of-sale system compares the number of soda cups used in a shift to the number of sales recorded in the system to ensure that those numbers match. The same process accounts for popcorn buckets and other containers. Providing a courtesy cup ensures that customers drinking free water do not use the soda cups that would require a corresponding sale to appear in the point-of-sale system. The cost of the popcorn, soda, and ice will be recorded in the accounting system as an inventory item, but the internal control is the comparison of the recorded sales to the number of containers used. This is just one type of internal control. As we discuss the internal controls, we see that the internal controls are used both in accounting, to provide information for management to properly evaluate the operations of the company, and in business operations, to reduce fraud.

It should be clear how important internal control is to all businesses, regardless of size. An effective internal control system allows a business to monitor its employees, but it also helps a company protect sensitive customer data. Consider the 2017 massive data breach at Equifax that compromised data of over 143 million people. With proper internal controls functioning as intended, there would have been protective measures to ensure that no unauthorized parties had access to the data. Not only would internal controls prevent outside access to the data, but proper internal controls would protect the data from corruption, damage, or misuse.

Your Turn

Bank Fraud in Enid, Oklahoma

The retired mayor of Enid, Oklahoma, Ernst Currier, had a job as a loan officer and then as a senior vice president at Security National Bank. In his bank job, he allegedly opened 61 fraudulent loans. He used the identities of at least nine real people as well as eight fictitious people and stole about $6.2 million.4 He was sentenced to 13 years in prison on 33 felony counts.

Currier was able to circumvent one of the most important internal controls: segregation of duties. The American Institute of Certified Public Accountants (AICPA) states that segregation of duties "is based on shared responsibilities of a key process that disperses the critical functions of that process to more than one person or department. Without this separation in key processes, fraud and error risks are far less manageable". Currier used local residents' identities and created false documents to open loans for millions of dollars and then collect the funds himself, without any oversight by any other employee. Creating these loans allowed him to walk up to the bank vault and take cash out of the bank without anyone questioning him. There was no segregation of duties for opening loans, or if there was, he was able to easily override those internal controls.

How could internal controls have helped prevent Currier's bank fraud in Enid, Oklahoma?

Solution

Simply having someone else confirm the existence of the borrower and make the payment for the loan directly to the borrower would have saved this small bank millions of dollars.

Consider a bank that has to track deposits for thousands of customers. If a fire destroys the building housing the bank's servers, how can the bank find the balances of each customer? Typically, organizations such as banks mirror their servers at several locations around the world as an internal control. The bank might have a main server in Tennessee but also mirror all data in real time to identical servers in Arizona, Montana, and even offshore in Iceland. With multiple copies of a server at multiple locations across the country, or even the world, in the event of disaster to one server, a backup server can take control of operations, protecting customer data and avoiding any service interruptions.

Internal controls are the basic components of an internal control system, the sum of all internal controls and policies within an organization that protect assets and data. A properly designed system of internal controls aims to ensure the integrity of assets, allows for reliable accounting information and financial reporting, enhances efficiency within an organization, and provides guidelines and possible consequences for dealing with breaches. Internal controls drive many decisions and overall operational procedures within an organization. A properly designed internal control system will not prevent all loss from occurring, but it will significantly reduce the risk of loss and increase the chance of identifying the responsible party.

Continuing Application

Fraud Controls for Grocery Stores

All businesses are concerned with internal controls over reporting and assets. For the grocery industry this concern is even greater, because profit margins on items are so small that any lost opportunity hurts profitability. How can an individual grocery store develop effective controls?

Consider the two biggest items that a grocery store needs to control: food (inventory) and cash. Inventory controls are set up to stop shrinkage (theft). While it is not profitable for each aisle to be patrolled by a security guard, cameras throughout the store linked to a central location allow security staff to observe customers. More controls are placed on cash registers to prevent employees from stealing cash. Cameras at each register, cash counts at each shift change, and/or a supervisor who observes cashiers are some potential internal control methods. Grocery stores invest more resources in controlling cash because they have determined it to be the greatest opportunity for fraudulent activity.

The Role of Internal Controls

The accounting system is the backbone of any business entity, whether it is profit based or not. It is the responsibility of management to link the accounting system with other functional areas of the business and ensure that there is communication among employees, managers, customers, suppliers, and all other internal and external users of financial information. With a proper understanding of internal controls, management can design an internal control system that promotes a positive business environment that can most effectively serve its customers.

For example, a customer enters a retail store to purchase a pair of jeans. As the cashier enters the jeans into the point-of-sale system, the following events occur internally:

1. A sale is recorded in the company's journal, which increases revenue on the income statement. If the transaction occurred by credit card, the bank typically transfers the funds into the store's bank account in a timely manner.
2. The pair of jeans is removed from the inventory of the store where the purchase was made.
3. A new pair of jeans is ordered from the distribution center to replace what was purchased from the store's inventory.
4. The distribution center orders a new pair of jeans from the factory to replace its inventory.
5. Marketing professionals can monitor over time the trend and volume of jeans sold in a specific size. If an increase or decrease in sales volume of a specific size is noted, store inventory levels can be adjusted.
6. The company can see in real time the exact inventory levels of all products in all stores at all times, and this can ensure the best customer access to products.
   

Because many systems are linked through technology that drives decisions made by many stakeholders inside and outside of the organization, internal controls are needed to protect the integrity and ensure the flow of information. An internal control system also assists all stakeholders of an organization to develop an understanding of the organization and provide assurance that all assets are being used efficiently and accurately.

Environment Leading to the Sarbanes-Oxley Act

Internal controls have grown in their importance as a component of most business decisions. This importance has grown as many company structures have grown in complexity. Despite their importance, not all companies have given maintenance of controls top priority. Additionally, many small businesses do not have adequate understanding of internal controls and therefore use inferior internal control systems. Many large companies have nonformalized processes, which can lead to systems that are not as efficient as they could be. The failure of the SCICAP Credit Union discussed earlier is a direct result of a small financial institution having a substandard internal control system leading to employee theft. One of the largest corporate failures of all time was Enron, and the failure can be directly attributed to poor internal controls.

Enron was one of the largest energy companies in the world in the late twentieth century. However, a corrupt management attempted to hide weak financial performance by manipulating revenue recognition, valuation of assets on the balance sheet, and other financial reporting disclosures so that the company appeared to have significant growth. When this practice was uncovered, the owners of Enron stock lost $40 billion as the stock price dropped from $91 per share to less than $1 per share, as shown in Figure 8.4. This failure could have been prevented had proper internal controls been in place.

For example, Enron and its accounting firm, Arthur Andersen, did not maintain an adequate degree of independence. Arthur Andersen provided a significant amount of services in both auditing and consulting, which prevented them from approaching the audit of Enron with a proper degree of independence. Also, among many other violations, Enron avoided the proper use of several acceptable reporting requirements.

Figure 8.4 Change in Enron Stock Price. The Enron scandal was one of the largest frauds in the history of modern business. It was the main fraud that was responsible for creation of the Sarbanes-Oxley Act as well as the Public Company Accounting Oversight Board (PCAOB). 

As a result of the Enron failure and others that occurred during the same time frame, Congress passed the Sarbanes-Oxley Act (SOX) to regulate practice to manage conflicts of analysts, maintain governance, and impose guidelines for criminal conduct as well as sanctions for violations of conduct. It ensures that internal controls are properly documented, tested, and used consistently. The intent of the act was to ensure that corporate financial statements and disclosures are accurate and reliable. It is important to note that SOX only applies to public companies. A publicly traded company is one whose stock is traded (bought and sold) on an organized stock exchange. Smaller companies still struggle with internal control development and compliance due to a variety of reasons, such as cost and lack of resources.

Major Accounting Components of the Sarbanes-Oxley Act

As it pertains to internal controls, the SOX requires the certification and documentation of internal controls. Specifically, the act requires that the auditor do the following:

1. Issue an internal control report following the evaluation of internal controls.
2. Limit nonaudit services, such as consulting, that are provided to a client.
3. Rotate who can lead the audit. The person in charge of the audit can serve for a period of no longer than seven years without a break of two years.
   

Additionally, the work conducted by the auditor is to be overseen by the Public Company Accounting Oversight Board (PCAOB). The PCAOB is a congressionally established, nonprofit corporation. Its creation was included in the Sarbanes-Oxley Act of 2002 to regulate conflict, control disclosures, and set sanction guidelines for any violation of regulations. The PCAOB was assigned the responsibilities of ensuring independent, accurate, and informative audit reports, monitoring the audits of securities brokers and dealers, and maintaining oversight of the accountants and accounting firms that audit publicly traded companies.

Link to Learning

https://pcaobus.org/

Visit the Public Company Accounting Oversight Board (PCAOB) website to learn more about what it does.

Any employee found to violate SOX standards can be subject to very harsh penalties, including $5 million in fines and up to 20 to 25 years in prison. The penalty is more severe for securities fraud (25 years) than for mail or wire fraud (20 years).

The SOX is relatively long and detailed, with Section 404 having the most application to internal controls. Under Section 404, management of a company must perform annual audits to assess and document the effectiveness of all internal controls that have an impact on the financial reporting of the organization. Also, selected executives of the firm under audit must sign the audit report and state that they attest that the audit fairly represents the financial records and conditions of the company.

The financial reports and internal control system must be audited annually. The cost to comply with this act is very high, and there is debate as to how effective this regulation is. Two primary arguments that have been made against the SOX requirements is that complying with their requirements is expensive, both in terms of cost and workforce, and the results tend not to be conclusive. Proponents of the SOX requirements do not accept these arguments.

One available potential response to mandatory SOX compliance is for a company to decertify (remove) its stock for trade on the available stock exchanges. Since SOX affects publicly traded companies, decertifying its stock would eliminate the SOX compliance requirement. However, this has not proven to be a viable option, primarily because investors enjoy the protection SOX provides, especially the requirement that the companies in which they invest undergo a certified audit prepared by CPAs employed by national or regional accounting firms. Also, if a company takes its stock off of an organized stock exchange, many investors assume that a company is in trouble financially and that it wants to avoid an audit that might detect its problems.

Your Turn

The Growing Importance of the Report on Internal Controls

Internal controls have become an important aspect of financial reporting. As part of the financial statements, the auditor has to issue a report with an opinion on the financial statements, as well as internal controls. Use the internet and locate the annual report of a company, specifically the report on internal controls. What does this report tell the user of financial information?

Solution

The annual report informs the user about the financial results of the company, both in discussion by management as well as the financial statements. Part of the financial statements involves an independent auditor's report on the integrity of the financial statements as well as the internal controls.

Link to Learning

https://www.ispartnersllc.com/blog/how-do-internal-audits-work/

Many companies have their own internal auditors on staff. The role of the internal auditor is to test and ensure that a company has proper internal controls in place, and that they are functioning. Read about how the internal audit works from I.S. Partners to learn more.

Describe Internal Controls within an Organization

The use of internal controls differs significantly across organizations of different sizes. In the case of small businesses, implementation of internal controls can be a challenge, due to cost constraints, or because a small staff may mean that one manager or owner will have full control over the organization and its operations. An owner in charge of all functions has enough knowledge to keep a close eye on all aspects of the organization and can track all assets appropriately. In smaller organizations in which responsibilities are delegated, procedures need to be developed in order to ensure that assets are tracked and used properly.

When an owner cannot have full oversight and control over an organization, internal control systems need to be developed. When an appropriate internal control system is in place, it is interlinked to all aspects of the entity's operations. An appropriate internal control system links the accounting, finance, operations, human resources, marketing, and sales departments within an organization. It is important that the management team, as well as employees, recognize the importance of internal controls and their role in preventing losses, monitoring performance, and planning for the future.

Elements of Internal Control

A strong internal control system is based on the same consistent elements:

• establishment of clear responsibilities
• proper documentation
• adequate insurance
• separation of assets from custody
• separation of duties
• use of technology

Establishment of Clear Responsibilities

A properly designed system of internal control clearly dictates responsibility for certain roles within an organization. When there is a clear statement of responsibility, issues that are uncovered can be easily traced and responsibility placed where it belongs.

As an example, imagine that you are the manager of the Galaxy's Best Yogurt. On any shift, you have three employees working in the store. One employee is designated as the shift supervisor who oversees the operations of the other two employees on the shift and ensures that the store is presented and functioning properly. Of the other two employees, one may be solely responsible for management of the cash register, while the others serve the customers. When only one employee has access to an individual cash register, if there is an overage or shortage of cash, it can be traced to the one employee who is in charge of the cash register.

Proper Documentation

An effective internal control system maintains proper documentation, including backups, to trace all transactions. The documentation can be paper copies, or documents that are computer generated and stored, on flash drives or in the cloud, for example. Given the possibility of some type of natural (tornado or flood) or man-made (arson) disasters, even the most basic of businesses should create backup copies of documentation that are stored off-site.

In addition, any documentation generated by daily operations should be managed according to internal controls. For example, when the Galaxy's Best Yogurt closes each day, one employee should close out and reconcile the cash drawer using prenumbered forms in pen to ensure that no forms can be altered or changed by another employee who may have access to the cash. In case of an error, the employee responsible for making the change should initial any changes on the form. If there are special orders for cakes or other products, the order forms should be prenumbered. The use of prenumbered documents provides assurance that all sales are recorded. If a form is not prenumbered, an order can be prepared, and the employee can then take the money without ringing the order into the cash register, leaving no record of the sale.

Adequate Insurance

Insurance may be a significant cost to an organization (especially liability coverage), but it is necessary. With adequate insurance on an asset, if it is lost or destroyed, an outside party will recoup the company for the loss. If assets are lost to fraud or theft, an insurance company will investigate the loss and will press criminal charges against any employee found to be involved. Very often, the employer will be hesitant to pursue criminal charges against an employee due to the risk of lawsuit or bad publicity. For example, an employee might assume that the termination was age related and is going to sue the company. Also, there might be a situation where the company experienced a loss, such as theft, and it does not want to let the general public know that there are potential deficiencies in its security system.

If the insurance company presses charges on behalf of the company, this protects the organization and also acts as a deterrent if employees know that the insurance company will always prosecute theft. For example, suppose the manager of the Galaxy's Best Yogurt stole $10,000 cash over a period of two years. The owner of the yogurt store will most likely file an insurance claim to recover the $10,000 that was stolen. With proper insurance, the insurance company will reimburse the yogurt store for the money but then has the right to press charges and recover its losses from the employee who was caught stealing. The store owner will have no control over the insurance company's efforts to recover the $10,000 and will likely be forced to fire the employee in order to keep the insurance policy.

Separation of Assets from Custody

Separation of assets from custody ensures that the person who controls an asset cannot also keep the accounting records. This action prevents one employee from taking income from the business and entering a transaction on the accounting records to cover it up. For example, one person within an organization may open an envelope that contains a check, but a different person would enter the check into the organization's accounting system. In the case of the Galaxy's Best Yogurt, one employee may count the money in the cash register drawer at the end of the night and reconcile it with the sales, but a different employee would recount the money, prepare the bank deposit, and ensure that the deposit is made at the bank.

Separation of Duties

A properly designed internal control system assures that at least two (if not more) people are involved with most transactions. The purpose of separating duties is to ensure that there is a check and balance in place. One common internal control is to have one employee place an inventory order and a different employee receive the order as it is delivered. For example, assume that an employee at the Galaxy's Best Yogurt places an inventory order. In addition to the needed inventory, the employee orders an extra box of piecrusts. If that employee also receives the order, he or she can take the piecrusts home, and the store will still pay for them. Check signing is another important aspect of separation of duties. Typically, the person who writes a check should not also sign the check. Additionally, the person who places supply orders should not write checks to pay the bills for these supplies.

Use of Technology

Technology has made the process of internal control simpler and more approachable to all businesses. There are two reasons that the use of technology has become more prevalent. The first is the development of more user-friendly equipment, and the second is the reduction in costs of security resources. In the past, if a company wanted a security system, it often had to go to an outside security firm, and the costs of providing and monitoring the system were prohibitive for many small businesses. Currently, security systems have become relatively inexpensive, and not only do many small businesses now have them, they are now commonly used by residential homeowners.

In terms of the application of security resources, some businesses use surveillance cameras focused on key areas of the organization, such as the cash register and areas where a majority of work is performed. Technology also allows businesses to use password protection on their data or systems so that employees cannot access systems and change data without authorization. Businesses may also track all employee activities within an information technology system.

Even if a business uses all of the elements of a strong internal control system, the system is only as good as the oversight. As responsibilities, staffing, and even technology change, internal control systems need to be constantly reviewed and refined. Internal control reviews are typically not conducted by inside management but by internal auditors who provide an impartial perspective of where controls are working and where they can be improved.

Purposes of Internal Controls within a Governmental Entity

Internal controls apply not only to public and private corporations but also to governmental entities. Often, a government controls one of the most important assets of modern times: data. Unprotected financial information, including tax data, social security, and governmental identifications, could lead to identity theft and could even provide rogue nations access to data that could compromise the security of our country. Governmental entities require their contractors to have proper internal controls and to maintain proper codes of ethics.

Ethical Considerations

Ethics in Governmental Contractors

Government entities are not the only organizations required to implement proper internal controls and codes of ethics. As part of the business relationship between different organizations, governmental agencies also require contractors and their subcontractors to implement internal controls to ensure compliance with proper ethical conduct. The Federal Acquisition Regulation (FAR) Council outlines regulations under FAR 3.10, which require governmental contractors and their subcontractors to implement a written "Contractor Code of Business Ethics and Conduct," and the proper internal controls to ensure that the code of ethics is followed. An employee training program, posting of agency inspector general hotline posters, and an internal control system to promote compliance with the established ethics code are also required. Contractors must disclose violations of federal criminal law involving fraud, conflicts of interest, bribery, or gratuity violations; violations of the civil False Claims Act; and significant overpayments on a contract not resulting from contract financing payments. Such internal controls help ensure that an organization and its business relationships are properly managed.

To recognize the significant need for internal controls within the government, and to ensure and enforce compliance, the US Government Accountability Office (GAO) has its own standards for internal control within the federal government. All government agencies are subject to governance under these standards, and one of the objectives of the GAO is to provide audits on agencies to ensure that proper controls are in place and within compliance. Standards for internal control within the federal government are located within a publication referred to as the "Green Book," or Standards for Internal Control in the Federal Government.

Link to Learning

https://www.gao.gov/greenbook

Government organizations have their own needs for internal controls. Read the GAO "Green Book" to learn more about these internal control procedures.

Purposes of Internal Controls within a Not-for-Profit

Not-for-profit (NFP) organizations have the same needs for internal control as many traditional for-profit entities. At the same time, there are unique challenges that these entities face. Based on the objectives and charters of NFP organizations, in many cases, those who run the organizations are volunteers. As volunteers, leaders of NFPs may not have the same training background and qualifications as those in a similar for-profit position. Additionally, a volunteer leader often splits time between the organization and a full-time career. For these reasons, internal controls in an NFP often are not properly implemented, and there may be a greater risk of control lapse. A control lapse occurs when there is a deviation from standard control protocol that leads to a failure in the internal control and/or fraud prevention processes or systems. A failure occurs in a situation when results did not achieve predetermined goals or meet expectations.

Not-for-profit organizations have an extra category of finances that need protection, in addition to their assets. They need to ensure that incoming donations are used as intended. For example, many colleges and universities are classified as NFP organizations, and donations are a significant source of revenue. However, donations are often directed to a specific source. For example, suppose an alumnus of Alpha University wants to make a $1,000,000 donation to the business school for undergraduate student scholarships. Internal controls would track that donation to ensure it paid for scholarships for undergraduate students in the business school and was not used for any other purpose at the school, in order to avoid potential legal issues.

Identify and Apply Principles of Internal Controls to the Receipt and Disbursement of Cash

Cash can be a major part of many business operations. Imagine a Las Vegas casino, or a large grocery store, such as Publix Super Markets, Wegmans Food Markets, or ShopRite; in any of these settings, millions of dollars in cash can change hands within a matter of minutes, and it can pass through the hands of thousands of employees. Internal controls ensure that all of this cash reaches the bank account of the business entity. The first control is monitoring. Not only are cameras strategically placed throughout the store to prevent shoplifting and crime by customers, but cameras are also located over all areas where cash changes hands, such as over every cash register, or in a casino over every gaming table. These cameras are constantly monitored, often offsite at a central location by personnel who have no relationship with the employees who handle the cash, and all footage is recorded. This close monitoring makes it more difficult for misuse of cash to occur.

Additionally, access to cash is tightly controlled. Within a grocery store, each employee has his or her own cash drawer with a set amount of cash. At any time, any employee can reconcile the sales recorded within the system to the cash balance that should be in the drawer. If access to the drawer is restricted to one employee, that employee is responsible when cash is missing. If one specific employee is consistently short on cash, the company can investigate and monitor the employee closely to determine if the shortages are due to theft or if they are accidental, such as if they resulted from errors in counting change. Within a casino, each time a transaction occurs and when there is a shift change for the dealers, cash is counted in real time. Casino employees dispersed on the gaming floor are constantly monitoring play, in addition to those monitoring cameras behind the scenes.

Technology plays a major role in the maintenance of internal controls, but other principles are also important. If an employee makes a mistake involving cash, such as making an error in a transaction on a cash register, the employee who made the mistake typically cannot correct the mistake. In most cases, a manager must review the mistake and clear it before any adjustments are made. These changes are logged to ensure that managers are not clearing mistakes for specific employees in a pattern that could signify collusion, which is considered to be a private cooperation or agreement primarily for a deceitful, illegal, or immoral cause or purpose. Duties are also separated to count cash on hand and ensure records are accurate. Often, at the end of the shift, a manager or employee other than the person responsible for the cash is responsible for counting cash on hand within the cash drawer. For example, at a grocery store, it is common for an employee who has been checking out customers for a shift to then count the money in the register and prepare a document providing the counts for the shift. This employee then submits the counted tray to a supervisor, such as a head cashier, who then repeats the counting and documentation process. The two counts should be equal. If there is a discrepancy, it should immediately be investigated. If the store accepts checks and credit/debit card payments, these methods of payments are also incorporated into the verification process.

In many cases, the sales have also been documented either by a paper tape or by a computerized system. The ultimate goal is to determine if the cash, checks, and credit/debit card transactions equal the amount of sales for the shift. For example, if the shift's register had sales of $800, then the documentation of counted cash and checks, plus the credit/debit card documentation should also add up to $800.

Despite increased use of credit cards by consumers, our economy is still driven by cash. As cash plays a very important role in society, efforts must be taken to control it and ensure that it makes it to the proper areas within an organization. The cost of developing, maintaining, and monitoring internal controls is significant but important. Considering the millions of dollars of cash that can pass through the hands of employees on any given day, the high cost can be well worth it to protect the flow of cash within an organization.

Link to Learning

https://www.councilofnonprofits.org/tools-resources/internal-controls-nonprofits

Internal controls are as important for not-for-profit businesses as they are within the for-profit sector. See this guide for not-for-profit businesses to set up and maintain proper internal control systems provided by the National Council of Nonprofits.

Think It Through

Hiring Approved Vendors
One internal control that companies often have is an official "approved vendor" list for purchases. Why is it important to have an approved vendor list?

Define the Purpose and Use of a Petty Cash Fund, and Prepare Petty Cash Journal Entries

As we have discussed, one of the hardest assets to control within any organization is cash. One way to control cash is for an organization to require that all payments be made by check. However, there are situations in which it is not practical to use a check. For example, imagine that the Galaxy's Best Yogurt runs out of milk one evening. It is not possible to operate without milk, and the normal shipment does not come from the supplier for another 48 hours. To maintain operations, it becomes necessary to go to the grocery store across the street and purchase three gallons of milk. It is not efficient for time and cost to write a check for this small purchase, so companies set up a petty cash fund, which is a predetermined amount of cash held on hand to be used to make payments for small day-to-day purchases. A petty cash fund is a type of imprest account, which means that it contains a fixed amount of cash that is replaced as it is spent in order to maintain a set balance.

To maintain internal controls, managers can use a petty cash receipt (Figure 8.5), which tracks the use of the cash and requires a signature from the manager.

Figure 8.5 Petty Cash Voucher. A petty cash voucher is an important internal control document to trace the use of cash within a petty cash fund. This voucher allows management to track the use of cash, the balance that should be within the account, and the person responsible for the approval of a payment from the account.

As cash is spent from a petty cash fund, it is replaced with a receipt of the purchase. At all times, the balance in the petty cash box should be equal to the cash in the box plus the receipts showing purchases.

For example, the Galaxy's Best Yogurt maintains a petty cash box with a stated balance of $75 at all times. Upon review of the box, the balance is counted in the following way.

Because there may not always be a manager with check signing privileges available to sign a check for unexpected expenses, a petty cash account allows employees to make small and necessary purchases to support the function of a business when it is not practical to go through the formal expense process. In all cases, the amount of the purchase using petty cash would be considered to not be material in nature. Recall that materiality means that the dollar amount in question would have a significant impact in financial results or influence investor decisions.

Demonstration of Typical Petty Cash Journal Entries

Petty cash accounts are managed through a series of journal entries. Entries are needed to (1) establish the fund, (2) increase or decrease the balance of the fund (replenish the fund as cash is used), and (3) adjust for overages and shortages of cash. Consider the following example.

The Galaxy's Best Yogurt establishes a petty cash fund on July 1 by cashing a check for $75 from its checking account and placing cash in the petty cash box. At this point, the petty cash box has $75 to be used for small expenses with the authorization of the responsible manager. The journal entry to establish the petty cash fund would be as follows.

As this petty cash fund is established, the account titled "Petty Cash" is created; this is an asset on the balance sheet of many small businesses. In this case, the cash account, which includes checking accounts, is decreased, while the funds are moved to the petty cash account. One asset is increasing, while another asset is decreasing by the same account. Since the petty cash account is an imprest account, this balance will never change and will remain on the balance sheet at $75, unless management elects to change the petty cash balance.

Throughout the month, several payments are made from the petty cash account of the Galaxy's Best Yogurt. Assume the following activities.

At the end of July, in the petty cash box there should be a receipt for the postage stamp purchase, a receipt for the milk, a receipt for the window cleaner, and the remaining cash. The employee in charge of the petty cash box should sign each receipt when the purchase is made. The total amount of purchases from the receipts ($45), plus the remaining cash in the box should total $75. As the receipts are reviewed, the box must be replenished for what was spent during the month. The journal entry to replenish the petty cash account will be as follows.

Typically, petty cash accounts are reimbursed at a fixed time period. Many small businesses will do this monthly, which ensures that the expenses are recognized within the proper accounting period. In the event that all of the cash in the account is used before the end of the established time period, it can be replenished in the same way at any time more cash is needed. If the petty cash account often needs to be replenished before the end of the accounting period, management may decide to increase the cash balance in the account. If, for example, management of the Galaxy's Best Yogurt decides to increase the petty cash balance to $100 from the current balance of $75, the journal entry to do this on August 1 would be as follows.

If the management at a later date decides to decrease the balance in the petty cash account, the previous entry would be reversed, with cash being debited and petty cash being credited.

Occasionally, errors may occur that affect the balance of the petty cash account. This may be the result of an employee not getting a receipt or getting back incorrect change from the store where the purchase was made. In this case, an expense is created that creates a cash overage or shortage.

Consider Galaxy's expenses for July. During the month, $45 was spent on expenses. If the balance in the petty cash account is supposed to be $75, then the petty cash box should contain $45 in signed receipts and $30 in cash. Assume that when the box is counted, there are $45 in receipts and $25 in cash. In this case, the petty cash balance is $70, when it should be $75. This creates a $5 shortage that needs to be replaced from the checking account. The entry to record a cash shortage is as follows.

When there is a shortage of cash, we record the shortage as a "debit" and this has the same effect as an expense. If we have an overage of cash, we record the overage as a credit, and this has the same impact as if we are recording revenue. If there were cash overage, the petty cash account would be debited and the cash over and short account would be credited. In this case, the expense balance decreases, and the year-end balance is the net balance from all overages and shortages during the year.

If a petty cash account is consistently short, this may be a warning sign that there is not a proper control of the account, and management may want to consider additional controls to better monitor petty cash.

Think It Through

Cash versus Debit Card
A petty cash system in some businesses may be replaced by use of a prepaid credit card (or debit card) on site. What would be the pros and cons of actually maintaining cash on premises for the petty cash system, versus a rechargeable debit card that employees may use for petty cash purposes? Which option would you select for your petty cash account if you were the owner of a small business?

Link to Learning

https://smallbusiness.chron.com/internal-control-features-exist-petty-cash-60919.html

See this article on tips for companies to establish and manage petty cash systems to learn more.

Discuss Management Responsibilities for Maintaining Internal Controls within an Organization

Because internal controls do protect the integrity of financial statements, large companies have become highly regulated in their implementation. In addition to Section 404 of the SOX, which addresses reporting and testing requirements for internal controls, there are other sections of the act that govern management responsibility for internal controls. Although the auditor reviews internal controls and advises on the improvement of controls, ultimate responsibility for the controls is on the management of the company. Under SOX Section 302, in order to provide additional assurance to the financial markets, the chief executive officer (CEO), who is the executive within a company with the highest-ranking title and the overall responsibility for management of the company, and the chief financial officer (CFO), who is the corporation officer who reports to the CEO and oversees all of the accounting and finance concerns of a company, must personally certify that (1) they have reviewed the internal control report provided by the auditor; (2) the report does not contain any inaccurate information; and (3) they believe that all financial information fairly states the financial conditions, income, and cash flows of the entity. The sign-off under Section 302 makes the CEO and CFO personally responsible for financial reporting as well as internal control structure.

While the executive sign-offs seem like they would be just a formality, they actually have a great deal of power in court cases. Prior to SOX, when an executive swore in court that he or she was not aware of the occurrence of some type of malfeasance, either committed by his or her firm or against his or her firm, the executive would claim a lack of knowledge of specific circumstances. The typical response was, "I can't be expected to know everything". In fact, in virtually all of the trials involving potential malfeasance, this claim was made and often was successful in a not-guilty verdict.

The initial response to the new SOX requirements by many people was that there was already sufficient affirmation by the CEO and CFO and other executives to the accuracy and fairness of the financial statements and that the SOX requirements were unnecessary. However, it was determined that the SOX requirements provided a degree of legal responsibility that previously might have been assumed but not actually stated.

Even if a company is not public and not governed by the SOX, it is important to note that the tone is set at the managerial level, called the tone at the top. If management respects the internal control system and emphasizes the importance of maintaining proper internal controls, the rest of the staff will follow and create a cohesive environment. A proper tone at the top demonstrates management's commitment toward openness, honesty, integrity, and ethical behavior.

Your Turn

Defending the Sarbanes-Oxley Act

You are having a conversation with the CFO of a public company. Imagine that the CFO complains that there is no benefit to Sections 302 and 404 of the Sarbanes-Oxley Act relative to the cost, as "our company has always valued internal controls before this regulation and never had an issue". He believes that this regulation is an unnecessary overstep. How would you respond and defend the need for Sections 302 and 404 of the Sarbanes-Oxley Act?

Solution

I would tell the CFO the following:

1. Everyone says that they have always valued internal controls, even those who did not.
2. Better security for the public is worth the cost.
3. The cost of compliance is more than recovered in the company's market price for its stock.

Think It Through

Personal Internal Controls
Technology plays a very important role in internal controls. One recent significant security breach through technology was the Equifax breach. What is an internal control that you can personally implement to protect your personal data as a result of this breach, or any other future breach?

Define the Purpose of a Bank Reconciliation, and Prepare a Bank Reconciliation and Its Associated Journal Entries

The bank is a very important partner to all businesses. Not only does the bank provide basic checking services, but they process credit card transactions, keep cash safe, and may finance loans when needed.

Bank accounts for businesses can involve thousands of transactions per month. Due to the number of ongoing transactions, an organization's book balance for its checking account rarely is the same as the balance that the bank records reflect for the entity at any given point. These timing differences are typically caused by the fact that there will be some transactions that the organization is aware of before the bank, or transactions the bank is aware of before the company.

For example, if a company writes a check that has not cleared yet, the company would be aware of the transaction before the bank is. Similarly, the bank might have received funds on the company's behalf and recorded them in the bank's records for the company before the organization is aware of the deposit.

With the large volume of transactions that impact a bank account, it becomes necessary to have an internal control system in place to assure that all cash transactions are properly recorded within the bank account, as well as on the ledger of the business. The bank reconciliation is the internal financial report that explains and documents any differences that may exist between the balance of a checking account as reflected by the bank's records (bank balance) for a company and the company's accounting records (company balance).

The bank reconciliation is an internal document prepared by the company that owns the checking account. The transactions with timing differences are used to adjust and reconcile both the bank and company balances; after the bank reconciliation is prepared accurately, both the bank balance and the company balance will be the same amount.

Note that the transactions the company is aware of have already been recorded (journalized) in its records. However, the transactions that the bank is aware of but the company is not must be journalized in the entity's records.

Fundamentals of the Bank Reconciliation Procedure

The balance on a bank statement can differ from company's financial records due to one or more of the following circumstances:

• An outstanding check: a check that was written and deducted from the financial records of the company but has not been cashed by the recipient, so the amount has not been removed from the bank account.
• A deposit in transit: a deposit that was made by the business and recorded on its books but has not yet been recorded by the bank.
• Deductions for a bank service fee: fees often charged by banks each month for management of the bank account. These may be fixed maintenance fees, per-check fees, or a fee for a check that was written for an amount greater than the balance in the checking account, called a nonsufficient funds (NSF) check. These fees are deducted by the bank from the account but would not appear on the financial records.
• Errors initiated by either the client or the bank: for example, the client might record a check incorrectly in its records, for either a greater or lesser amount than was written. Also, the bank might report a check either with an incorrect balance or in the wrong client's checking account.
• Additions such as interest or funds collected by the bank for the client: interest is added to the bank account as earned but is not reported on the financial records. These additions might also include funds collected by the bank for the client.

Demonstration of a Bank Reconciliation

A bank reconciliation is structured to include the information shown in Figure 8.6.

Figure 8.6 Bank Reconciliation. A bank reconciliation includes categories for adjustments to both the bank balance and the book balance.

Assume the following circumstances for Feeter Plumbing Company, a small business located in Northern Ohio.

1. After all posting is up to date, at the end of July 31, the book balance shows $32,760, and the bank statement balance shows $77,040.
2. Check 5523 for $9,620 and 6547 for $10,000 are outstanding.
3. Check 5386 for $2,000 is removed from the bank account correctly but is recorded on the accounting records for $1,760. This was in payment of dues. The effects of this transaction resulted in an error of $240 that must be deducted from the company's book balance.
4. The July 31 night deposit of $34,300 was delivered to the bank after hours. As a result, the deposit is not on the bank statement, but it is on the financial records.
5. Upon review of the bank statement, an error is uncovered. A check is removed from the account from Feeter for $320 that should have been removed from the account of another customer of the bank.
6. In the bank statement is a note stating that the bank collected $60,000 in charges (payments) from the credit card company as well as $1,800 in interest. This transaction is on the bank statement but not in the company's financial records.
7. The bank notified Feeter that a $2,200 check was returned unpaid from customer Berson due to insufficient funds in Berson's account. This check return is reflected on the bank statement but not in the records of Feeter.
8. Bank service charges for the month are $80. They have not been recorded on Feeter's records.
   

Each item would be recorded on the bank reconciliation as follows:

One important trait of the bank reconciliation is that it identifies transactions that have not been recorded by the company that are supposed to be recorded. Journal entries are required to adjust the book balance to the correct balance.

In the case of Feeter, the first entry will record the collection of the note, as well as the interest collected.

The second entry required is to adjust the books for the check that was returned from Berson.

The third entry is to adjust the recording error for check 5386.

The final entry is to record the bank service charges that are deducted by the bank but have not been recorded on the records.

The previous entries are standard to ensure that the bank records are matching to the financial records. These entries are necessary to update Feeter‛s general ledger cash account to reflect the adjustments made by the bank.

Link to Learning

https://www.thebalance.com/small-business-banking-4073266

This practical article illustrates the key points of why a bank reconciliation is important for both business and personal reasons.

Describe Fraud in Financial Statements and Sarbanes-Oxley Act Requirements

Financial statements are the end result of an accountant's work and are the responsibility of management. Proper internal controls help the accountant determine that the financial statements fairly present the financial position and performance of a company. Financial statement fraud occurs when the financial statements are used to conceal the actual financial condition of a company or to hide specific transactions that may be illegal. Financial statement fraud may take on many different methods, but it is generally called cooking the books. This issue may occur for many purposes.

A common reason to cook the books is to create a false set of a company's books used to convince investors or lenders to provide money to the company. Investors and lenders rely on a properly prepared set of financial statements in making their decision to provide the company with money. Another reason to misstate a set of financial statements is to hide corporate looting such as excessive retirement perks of top executives, unpaid loans to top executives, improper stock options, and any other wrongful financial action. Yet another reason to misreport a company's financial data is to drive the stock price higher. Internal controls assist the accountant in locating and identifying when management of a company wants to mislead the inventors or lenders.

The financial accountant or members of management who set out to cook the books are intentionally attempting to deceive the user of the financial statements. The actions of upper management are being concealed, and in most cases, the entire financial position of the company is being purposely misreported. Regardless of the reason for misstating the true condition of a company's financial position, doing so misleads any person using the financial statements of a company to evaluate the company and its operations.

How Companies Cook the Books to Misrepresent Their Financial Condition

One of the most common ways companies cook the books is by manipulating revenue accounts or accounts receivables. Proper revenue recognition involves accounting for revenue when the company has met its obligation on a contract. Financial statement fraud involves early revenue recognition, or recognizing revue that does not exist, and receivable accountings, used in tandem with false revenue reporting. HealthSouth used a combination of false revenue accounts and misstated accounts receivable in a direct manipulation of the revenue accounts to commit a multibillion-dollar fraud between 1996 and 2002. Several chief financial officers and other company officials went to prison as a result.

Concepts In Practice

Internal Controls at HealthSouth

The fraud at HealthSouth was possible because some of the internal controls were ignored. The company failed to maintain standard segregation of duties and allowed management override of internal controls. The fraud required the collusion of the entire accounting department, concealing hundreds of thousands of fraudulent transactions through the use of falsified documents and fraudulent accounting schemes that included revenue recognition irregularities (such as recognizing accounts receivables to be recorded as revenue before collection), misclassification of expenses and asset acquisitions, and fraudulent merger and acquisition accounting. The result was billions of dollars of fraud. Simply implementing and following proper internal control procedures would have stopped this massive fraud.

Many companies may go to great lengths to perpetuate financial statement fraud. Besides the direct manipulation of revenue accounts, there are many other ways fraudulent companies manipulate their financial statements. Companies with large inventory balances can misrepresent their inventory account balances and use this misrepresentation to overstate the amount of their assets to get larger loans or use the increased balance to entice investors through claims of exaggerated revenues. The inventory accounts can also be used to overstate income. Such inventory manipulations can include the following:

• Channel stuffing: encouraging customers to buy products under favorable terms. These terms include allowing the customer to return or even not pick up goods sold, without a corresponding reserve to account for the returns.
• Sham sales: sales that have not occurred and for which there are no customers.
• Bill-and-hold sales: recognition of income before the title transfers to the buyer, and holding the inventory in the seller's warehouse.
• Improper cutoff: recording sales of inventory in the wrong period and before the inventory is sold; this is a type of early revenue recognition.
• Round-tripping: selling items with the promise to buy the items back, usually on credit, so there is no economic benefit.
  

These are just a few examples of the way an organization might manipulate inventory or sales to create false revenue.

One of the most famous financial statement frauds involved Enron, as discussed previously. Enron started as an interstate pipeline company, but then branched out into many different ventures. In addition to the internal control deficiencies discussed earlier, the financial statement fraud started when the company began to attempt to hide its losses.

The fraudulent financial reporting schemes included building assets and immediately taking as income any projected profits on construction and hiding the losses from operating assets in an off-the-balance sheet transaction called special purpose entities, which are separate, often complicated legal entities that are often used to absorb risk for a corporation. Enron moved assets that were losing money off of its books and onto the books of the Special Purpose Entity. This way, Enron could hide its bad business decisions and continue to report a profit, even though its assets were losing money. Enron's financial statement fraud created false revenues with the misstatement of assets and liability balances. This was further supported by inadequate balance sheet footnotes and the related disclosures. For example, required disclosures were ramped up as a result of these special purpose entities.

Sarbanes-Oxley Act Compliance Today

The Enron scandal and related financial statement frauds led to investors requiring that public companies maintain better internal controls and develop stronger governance systems, while auditors perform a better job at auditing public companies. These requirements, in turn, led to the regulations developed under SOX that were intended to protect the investing public.

Since SOX was first passed, it has adapted to changing technology and now requires public companies to protect their accounting and financial data from hackers and other outside or internal forces through stronger internal controls designed to protect the data. The Journal of Accountancy supported these new requirements and reported that the results of SOX have been positive for both companies and investors.

As discussed in the Journal of Accountancy article, there are three conditions that are increasingly affecting compliance with SOX requirements:

• PCAOB requirements. The PCAOB has increased the requirements for inspection reports, with a greater emphasis on deficiency evaluation.
• Revenue recognition. The Financial Accounting Standards Board has introduced a new standard for revenue recognition. This requirement has led to the need for companies to update control documentation.
• Cybersecurity. Cybersecurity is the practice of protecting software, hardware, and data from digital attacks. As would be expected in today's environment, the number of recent cybersecurity disclosures has significantly grown.
  

Under current guidelines, instead of the SOX requiring compliance with just the financial component of reporting and internal control, the guidelines now allow application to information technology (IT) activities as well. A major change under the SOX guidelines involves the method of storage of a company's electronic records. While the act did not specifically require a particular storage method, it did provide guidance on which records were to be stored and for how long they should be stored.

The SOX now requires that all business records, electronic records, and electronic messages must be stored for at least five years. The penalties for noncompliance include either imprisonment or fines, or a combination of the two options.

Key Terms

bank reconciliation
internal financial report that explains and documents any differences that may exist between a balance within a checking account and the company's records

bank service fee
fee often charged by a bank each month for management of the bank account

chief executive officer (CEO)
executive within a company with the highest ranking title who has the overall responsibility for the management of a company; reports to the board of directors

chief financial officer (CFO)
corporation officer who reports to the CEO and oversees all of the accounting and finance concerns of a company

collusion
private cooperation or agreement, between more than one person, primarily for a deceitful, illegal, or immoral cause or purpose

Committee of Sponsoring Organizations (COSO)
independent, private-sector group whose five sponsoring organizations periodically identify and address specific accounting issues or projects related to internal controls

control lapse
when there is a deviation from standard control protocol that leads to a failure in the internal control and/or fraud prevention processes or systems

cooking the books
(also, financial statement fraud) financial statements are used to conceal the actual financial condition of a company or to hide specific transactions that may be illegal

cybersecurity
practice of protecting software, hardware, and data from digital attacks

deposit in transit
deposit that was made by the business and recorded on its books but has not yet been recorded by the bank

external auditor
generally works for an outside CPA firm or his or her own private practice and conducts audits and other assignments, such as reviews

financial statement fraud
using financial statements to conceal the actual financial condition of a company or to hide specific transactions that may be illegal

fraud
act of intentionally deceiving a person or organization or misrepresenting a relationship in order to secure some type of benefit, either financial or nonfinancial

fraud triangle
concept explaining the reasoning behind a person's decision to commit fraud; the three elements are perceived opportunity, rationalization, and incentive

imprest account
account that is only debited when the account is established or the total ending balance is increased

internal auditor
employee of an organization whose job is to provide an independent and objective evaluation of the company's accounting and operational activities

internal control system
sum of all internal controls and policies within an organization that protect assets and data

internal controls

systems used by an organization to manage risk and diminish the occurrence of fraud, consisting of the control environment, the accounting system, and control activities

nonsufficient funds (NSF) check
check written for an amount that is greater than the balance in the checking account

outstanding check
check that was written and deducted from the financial records of the company but has not been cashed by the recipient, so the amount has not been removed from the bank account

petty cash fund
amount of cash held on hand to be used to make payments for small day-to-day purchases

Public Company Accounting Oversight Board (PCAOB)
organization created under the Sarbanes-Oxley Act to regulate conflict, control disclosures, and set sanction guidelines for any violation of regulation

publicly traded company
company whose stock is traded (bought and sold) on an organized stock exchange

revenue recognition
accounting for revenue when the company has met its obligation on a contract

Sarbanes-Oxley Act (SOX)
federal law that regulates business practices; intended to protect investors by enhancing the accuracy and reliability of corporate financial statements and disclosures through governance guidelines including sanctions for criminal conduct

special purpose entities
separate, often complicated legal entities that are often used to absorb risk for a corporation

Summary

Analyze Fraud in the Accounting Workplace

• The fraud triangle helps explain the mechanics of fraud by examining the common contributing factors of perceived opportunity, incentive, and rationalization.
• Due to the nature of their functions, internal and external auditors, through the implementation of effective internal controls, are in excellent positions to prevent opportunity-based fraud.

Define and Explain Internal Controls and Their Purpose within an Organization

• A system of internal control is the policies combined with procedures created by management to protect the integrity of assets and ensure efficiency of operations.
• The system prevents losses and helps management maintain an effective means of performance.

Describe Internal Controls within an Organization

• Principles of an effective internal control system include having clear responsibilities, documenting operations, having adequate insurance, separating duties, and setting clear responsibilities for action.
• Internal controls are applicable to all types of organizations: for profit, not-for-profit, and governmental organizations.

Define the Purpose and Use of a Petty Cash Fund, and Prepare Petty Cash Journal Entries

• The purpose of a petty cash fund is to make payments for small amounts that are immaterial, such as postage, minor repairs, or day-to-day supplies.
• A petty cash account is an imprest account, so it is only debited when the fund is initially established or increased in amount. Transactions to replenish the account involve a debit to the expenses and a credit to the cash account (e.g., bank account).

Discuss Management Responsibilities for Maintaining Internal Controls within an Organization

• It is the responsibility of management to assure that internal controls of a company are effective and in place.
• Though management has always had responsibility over internal controls, the Sarbanes-Oxley Act has added additional assurances that management takes this responsibility seriously, and placed sanctions against corporate officers and boards of directors who do not take appropriate responsibility.
• Sarbanes-Oxley only applies to public companies. Even though the rules of this act only apply to public companies, proper internal controls are an important aspect of all businesses of any size. Tone at the top is a key component of a proper internal control system.

Define the Purpose of a Bank Reconciliation, and Prepare a Bank Reconciliation and Its Associated Journal Entries

• The bank reconciliation is an internal document that verifies the accuracy of records maintained by the depositor and the financial institution. The balance on the bank statement is adjusted for outstanding checks and uncleared deposits. The record balance is adjusted for service charges and interest earned.
• The bank reconciliation is an internal control document that ensures transactions to the bank account are properly recorded, and allows for verification of transactions.

Describe Fraud in Financial Statements and Sarbanes-Oxley Act Requirements

• Financial statement fraud has occurred when financial statements intentionally hide illegal transactions or fail to accurately reflect the true financial condition of an entity.
• Cooking the books can be used to create false records to present to lenders or investors. It also is used to hide corporate looting of funds and other resources, or to increase stock prices. Cooking the books is an intentional action and is often achieved through the manipulation of the entity's revenues or accounts receivable.
• Health South and Enron were used as examples of past corporate financial fraud.
• The section takes a brief look at the current state of SOX compliance.