The Possible

There are times when I think we do not spend enough time thinking about the possible.  What I mean to say is, we are almost always fixated on the probable, or most likely to happen, outcome.  This is as true in accounting and auditing as it is in life itself.

One important aspect of our role as auditor though, is to consider the possible.  For instance, theft of company assets.  When we look at how assets are controlled, from their purchase to their ultimate disposal, we are looking for possible holes in that system.  Who approves a bad debt write-off, who can set the selling price of a piece of equipment that is no longer in use; the issues which concern is are possibilities.

If we focused solely on the probable, we would potentially miss a warning sign.  Is it probable that the purchasing agent is receiving a kick-back from a vendor for steering business their way?  Maybe not.  But what controls, what business process reduces the possibility?

It is one of the things that concerns us regarding condo and HOA audits.  As the association’s independent auditor, we are first and foremost concerned with the financial statement and the fact that it is materially correct.  But when you think about what provides a materially correct financial statement, it is all the controls and safeguards of the manager – who is charged with the board with carrying out the daily activity of the association.

This is the main reason we spend so much energy on understanding how the community manager does the job.  Who has access to a checking account, who initiates the transaction, who approves it?  These points reduce or increase the risk of misuse of the association’s assets. There are far too many stories about trusting a system that really did not provide any safeguards and addressing that possibility is the responsibility of the auditor.

For instance, what if employee A of the community manager could initiate a transaction for say, yard maintenance.  Employee A contacts the maintenance company, negotiates the price and sets the contract.  Employee A then reviews their work and approves payment.  Finally Employee A can write the check and have someone else sign.

This seems harmless doesn’t it?  After all, employee A can’t sign the check so the asset is safeguarded right?  Not at all.  Employee A could have created a fact maintenance transaction, set up a fake company, approved the work and, because everything was signed off on, the check is cut.  To employee A.

Is it probably this happens in any particular association?  No.  But this scenario could result in this possible outcome.  And the auditor should know that and make appropriate comment.

Community Managers will argue that this couldn’t happen.  They are, however, arguing that it is not probable because they believe they know their employees.  The fact that it could happen though is what we are concerned with when we try to determine the risks of weak internal controls.  Boards need to be made aware that the risk exists so they can take steps, if they feel it necessary, to eliminate, or at least reduce, the risk of it happening.

As a director, make sure your auditor works to understand how the community manager is operating and how it impacts your association.  Press them on their thoughts on what risks might exist to the assets of your association.  Your auditor should have a good grasp of the fundamentals of the control system and can give you some good points to consider.  And if they can’t, it may be time to switch auditors.  C.O.R.E. is here to help you, the board, rely upon your manager.  We do this by looking at the managers controls and how they impact your association.  Feel free to contact us to schedule a conversation about how we can be of service to your association.

Have a great weekend.

 

Evaluating Risk in Your Business

I received another interesting Google alert which reminds me how small business owners often take their business for granted.  This one was about how the bookkeeper managed to write almost 100 checks to himself over 3 years to the tune of almost $250,000.

Let me start by saying that the bookkeeper was wrong.  No ifs, ands, or buts about it.  But to be honest, the business owner provided the means and the opportunity.  That doesn’t excuse the behavior but the owner would have been $250,000 wealthier if he hadn’t failed in his responsibilities to set up his company to deter such poor behavior.

First, a small business owner should never, ever give the bookkeeper check signing authority.  There is no such thing as a good reason for this.  One of the most important rules to protect your cash is make sure that the person with direct oversight of the accounting system can not sign a check.

Yes, I know there are many good reasons to have a second signer and I think there probably should be at least one other.  But have it be your shop manager or construction foreman, not the bookkeeper!  Hell, have your cousin Bob be a signer so that when you are out of town he can come by the office and sign checks.

But you have to make sure that the second signer knows the rules.  The most important rule is that no check is signed unless all the paperwork is with it.  That means a purchase order (yes use those too), a vendor invoice, a receiving ticket (what? You don’t have anything to prove items were delivered?) all packages together so they can review it prior to signing.  Everything must match or they must not sign.  And the bookkeeper cannot pressure them for any reason.  As a matter of fact, they should call you immediately if they feel something is off.

I understand it is possible that someone could create lots of documents to support stealing but the reality is that it would take some advanced planning to pull it off.  Plus, once it was discovered (and it will be) it is pretty obvious they had real intention to steal from you and that it wasn’t merely a crime of opportunity (oh look a $1,000 bill lying on the ground, finders keepers).  But ultimately having someone who is not part of the accounting control system look things over might actually help you find new ways to do the work.

We are big fans of using automated workflows and online document management.  These can make the process of approvals easier, faster and far more reliable.  Properly constructed, your system wouldn’t even allow a check to be written until the work flow is complete.  You could have several different people review their parts and then you can be comfortable in knowing that whoever signs the check (or pushes the enter key for an ACH transaction) is doing so with proper authorization.

Here are a few other commonsense rules for vendor payment management:

  • Make sure that all vendors have filed a W9 and submitted their insurance documents
  • Create a receiving document to prove what was delivered and that it matched to the PO
  • Create PO’s for goods being purchased
  • Have a contract with professional service providers for every major project they do – no open-ended hourly billing
  • Have one of your employees call random vendors to verify their information to make sure they really exist and do business with you
  • Review your accounts receivable aging reports and personally follow up with customers who haven’t paid in 60 days.

These steps won’t stop a determined fraudster but they do substantially reduce opportunity.  And without opportunity, most fraud disappears.

If you are looking for an accounting firm who understands business and how to protect it, check out our website for more information and to contact us.  We look forward to the opportunity to be of service to you.

Have a great day and Happy New Year.