Don’t Let the Fox Guard the Henhouse
By Bryan Fleming, Director, Advisory Services
The idiom “fox guarding the henhouse” is taken to mean placing someone unsuitable in a position of trust, or placing someone in a position of policing him- or her- self. The problem of placing the wrong people in such positions is actually more common than most people realize, as is the actual prevalence of workplace fraud.
The 2018 Report to the Nations, published by the Association of Certified Fraud Examiners (ACFE), makes clear that no organization is immune and that fraud knows no geographic or industry boundaries. In a study of 2,690 reported cases of fraud in 125 countries and 23 industry categories, the ACFE found that 42% related to private companies, 29% to public companies, 16% to government agencies, 9% to nonprofit organizations, and 4% to other entities. Nearly half of all frauds were the result of failures of internal controls.
We see the damage from this phenomenon quite frequently here at Marcum, so let’s talk about an example of over-reliance on people and under-reliance on controls. The example involves a small company, but is quite typical of what we have found in other cases.
In this case, a member of management was contacted by a service provider expressing concern that various invoices had remained unpaid for a long period of time. Previously, invoices had been paid within a matter of days. Based on that call, a preliminary investigation was initiated, and it was found that certain employees disregarded existing internal control procedures by making transfers to and from several bank accounts without the required approvals.
The employees also circumvented disbursements controls by paying a vendor with several checks made out in amounts that were less than the amount that triggers board oversight. The board suspended the employees and engaged attorneys, who in turn engaged Marcum to conduct a full forensic investigation.
Marcum’s investigation ultimately concluded that the employees took nearly $1 million over two years. That amount included checks made payable to one employee directly, as well as payments to fictitious companies allegedly owned by another employee.
Irrespective of written policies and procedures, established internal controls, and financial statement audits performed by an independent CPA, the company became the victim of a material financial loss. It remains to be seen what the impact will be on the company in the future.
The lesson from this case is that this can happen in any company, including yours.
While no system of internal controls can be guaranteed to prevent the type of misconduct described above, a simple, principles-based approach can help minimize the occurrence of such behavior. Guidance for such an approach can be found in a joint-project document authored by a taskforce of the Institute of Internal Auditors, the American Institute of Certified Public Accountants, and the Association of Certified Fraud Examiners entitled Managing the Business Risk of Fraud: A Practical Guide.
Consider the following five principles enumerated in the report and the ease with which they are approached:
In the parlance of public accounting, this process is referred to as “establishing the environment for fraud risk” – a dashboard approach. Some of the items set forth in the report that should be matters of policy include developing guidelines related to:
- Roles and responsibilities
- Fraud awareness
- Affirmation process
- Conflict disclosure
- Fraud risk assessment
- Reporting procedures and whistleblower protection
- Investigation process
- Quality assurance
- Continuous monitoring
Some of the items that should be matters of practice include:
- Separation of functions
- Regular oversight and reconciliation of bank accounts
- Board involvement in management oversight
- Internal auditing with board oversight
- Regular IT audits for unauthorized or inappropriate use of computers
In the case described above, the costs to investigate the facts and solve the various problems that have resulted from the fraud will likely run to $100,000 or more. There may also be reputational costs to the company.
The employment of strong controls and related policies and practices can help to thwart the kind of scheme described in this article or significantly reduce any damage. Only through diligence and monitoring is it possible to know whether there is a fox guarding the henhouse.