When the members of the Board of Directors of a large non-profit suspected embezzlement of company funds, they needed help. We met with them and heard about what was, to the board members, the strange pattern of events that had led to their suspicions.
During the meeting the CEO resigned and, as it turned out, the seemingly random facts and “strange” events all fit a classic profile of fraud. Somewhat typically, the board wanted to believe it was simply a misunderstanding, incompetence or laziness.
The Investigation Plan
We proposed a multi-stage engagement.
Phase 1 was designed to establish whether there was evidence suggesting fraud rather than simply incompetence or sloppiness by management.
Phase 2 was designed to quantify a preliminary loss given specific parameters determined in phase 1. In simple terms, phase 2 was designed to pick the “low hanging fruit” and establish the basis for the board to determine a legal course of action, if any.
Phase 3 was designed to complete the investigation and prepare for civil or criminal prosecution.
Executing the Investigation
Phase 1 established that indeed there was evidence of management sloppiness and even incompetence. This situation allowed for unauthorized financial transactions to happen without detection – and there was evidence that such transactions had taken place.
The executive responsible for the lack of controls eventually took advantage of the situation. The board, meanwhile, was completely unaware that there were no internal controls.
In phase 2 the forensic accountants reviewed several years of bank reconciliations and traced cancelled checks and deposit slips back to the accounting records. This process exposed unauthorized payments as well as a sophisticated attempt to cover the payments so that reports to the board would not reflect the actual economic activity.
We presented our findings to the board, but since there was no insurance to cover the loss (the CEO had cancelled the coverage several years before) and the board had determined that there would be no prosecution, the engagement did not proceed to phase 3.
Several obvious and not-so-obvious factors added to the frustration of this embezzlement. In this unfortunate situation are some basic lessons for preventing fraud.
1. Don’t rely on audits to find fraud
The annual audit performed by an outside CPA firm was worthless. Audits are not designed to find fraud – but they should be designed to evaluate and test internal controls. The Board never heard from the auditors that the system of internal controls did not exist. The pattern of embezzlement was such that simple transaction testing by the auditors would likely have exposed the entire scheme. Perhaps this argues for rotating audit firms after a few years to get a fresh look.
2. Be open to bad news
The Board of Directors was too trusting of management. Members of management had repeatedly tried to let board members know about poor management practices and other evidence of problems. The board had trained management to report the good news and bury the bad news. This is a classic dynamic in charitable organizations that recruit highly successful citizens who donate as little time as possible to lend their name to a good cause. In this case, like so many others, they all ended up embarrassed, confused, and suspected themselves. The Board, as noted above, decided to sweep it all under the rug.
3. Employ internal controls
The culture of “trusting” management at all costs is dangerous to the individual and the organization. Internal controls protect individuals from accusations and suspicions. Conversely, a simple set of internal controls protects the organization from the risk of undetected fraud. In this case, ignoring this most basic method of preventing fraud cost the organization several hundred thousand dollars.
The decision of the board to not prosecute the crime, driven by their own embarrassment and shame, probably indicates that the lessons still haven’t been learned.