Chapter 7: Fraud, Internal Control, and Cash

Chapter Overview

This chapter provides a comprehensive examination of fraud, the design and implementation of robust internal control systems, and effective cash management practices. It explicitly outlines key learning objectives and underscores the critical importance of safeguarding a company's assets from misuse or theft, maintaining the integrity of financial data, and ensuring strict compliance with all applicable laws and regulations.

Learning Objectives

The main learning objectives for this chapter are as follows:

  1. Define fraud and the principles of internal control. This includes understanding the nature of dishonest acts and the foundational concepts behind a sound control environment.

  2. Apply internal control principles to cash. Focuses on how control activities are specifically adapted and implemented for managing cash receipts and disbursements, a high-risk area.

  3. Identify the control features of a bank account. Explores how utilizing bank services enhances internal controls and aids in reconciliation.

  4. Explain the reporting of cash. Covers the classification and presentation of cash and cash equivalents on financial statements, including restricted cash.

    Note: Petty cash and bank reconciliations, while related to cash management, are not covered in detail within this particular chapter.

Learning Objective 1: Define Fraud and the Principles of Internal Control

Definition of Fraud

Fraud, in an organizational context, is precisely defined as a deliberate dishonest act perpetrated by an employee. This act is typically characterized by an intentional misrepresentation or concealment of facts, designed to result in direct or indirect personal advantages or benefits for the employee, often illicitly gained at the direct financial, reputational, or operational expense of the employer.

Factors Contributing to Fraudulent Activity

The established "Fraud Triangle" model identifies three interdependent key factors that significantly contribute to the likelihood and occurrence of fraudulent activities within an organization:

  1. Opportunity: This refers to the presence of circumstances that allow fraud to be committed. It often arises from a perceived weakness or absence of effective internal controls, such as a lack of segregation of duties, inadequate oversight, or easily exploitable systems. The employee believes they can commit the fraud without being detected.

  2. Rationalization: This psychological component involves employees justifying their dishonest actions to themselves. They often develop a moral excuse or belief that their actions are acceptable or not truly wrong (e.g., "I'm just borrowing the money," "The company owes me this," or "Everyone else does it").

  3. Pressure: These are the external factors or incentives that might compel an employee to commit fraud. Common internal pressures include financial difficulties (e.g., gambling debts, excessive spending, medical bills), personal problems, or even perceived unfair treatment within the company. External pressures can also stem from unrealistic performance targets or a desire to maintain a certain lifestyle.

The Sarbanes-Oxley Act (SOX)

Enacted in 2002 in response to major corporate accounting scandals (like Enron and WorldCom), the Sarbanes-Oxley Act applies specifically to publicly traded U.S. corporations. It established stringent regulatory standards aimed at significantly improving the accuracy, transparency, and reliability of corporate disclosures and financial reporting. Key components and requirements established by SOX include:

  • Requirement for companies to maintain adequate internal control systems. This mandates the establishment and documentation of internal controls over financial reporting.

  • Obligation for corporate executives and boards of directors to ensure these controls are deemed effective and reliable. Section 302 and 404 of SOX require management to assess and report on the effectiveness of internal controls annually.

  • Necessity for independent external auditors to validate the adequacy of the internal control system. Auditors must attest to, and report on, management's assessment of internal controls, providing an independent opinion on their effectiveness.

  • Establishment of the Public Company Accounting Oversight Board (PCAOB). This board oversees the audits of public companies to protect investors and ensure public trust in audit reports.

Internal Control Methods and Measures

Internal control methods represent a comprehensive set of policies and procedures designed and implemented by an organization's board of directors, management, and other personnel. They serve a variety of critical purposes, including:

  1. Safeguarding assets. Protecting physical assets (like cash, inventory, equipment) and intangible assets (like patents, data) from theft, damage, or unauthorized use.

  2. Enhancing the reliability of accounting records. Ensuring that financial data is accurate, complete, and reliable, which is crucial for sound decision-making and financial reporting.

  3. Increasing operational efficiency. Streamlining processes, reducing waste, and improving productivity by establishing clear procedures and responsibilities.

  4. Ensuring compliance with laws and regulations. Adhering to legal requirements, industry standards, and company policies, thereby mitigating legal and reputational risks.

Five Primary Components of Internal Control (COSO Framework)

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework identifies five interrelated components essential for an effective internal control system:

  1. Control Environment: This forms the foundation for all other components. Top management, often referred to as "tone at the top," must clearly communicate a strong commitment to ethical behavior and integrity, setting a positive example and demonstrating that unethical behavior is unacceptable and will not be tolerated. This includes the organizational structure, assignment of authority and responsibility, and human resource policies and practices.

  2. Risk Assessment: Businesses must proactively evaluate potential risks to the achievement of their objectives (e.g., financial reporting risks, operational risks, compliance risks) and determine how best to manage and mitigate them. This involves identifying, analyzing, and responding to business risks.

  3. Control Activities: These are the specific actions, policies, and procedures implemented at all levels of the organization to mitigate identified risks adequately. They include activities like authorizations, reconciliations, verifications, and segregation of duties.

  4. Information and Communication: The control system must effectively gather pertinent information from both internal and external sources and communicate vital information to relevant parties within and outside the organization in a timely manner. This ensures that everyone understands their roles in internal control.

  5. Monitoring: Internal control systems are not static; they must be periodically reviewed, assessed, and evaluated to ensure their continued effectiveness over time. This includes ongoing evaluations and separate evaluations, with deficiencies being identified and communicated promptly.

Principles of Internal Control Activities

The chapter continues to outline several critical control activities that support the broader components of internal control:

1. Establishment of Responsibility

Control is most effective when responsibility for specific tasks is clearly assigned to a single individual. This creates accountability and limits access to authorized personnel only. For example, only one person should be authorized to open mail containing customer payments, or only one cashier should operate a specific cash register drawer.

2. Segregation of Duties

To prevent fraud and errors, related activities should be assigned to different individuals. This principle is fundamental in preventing any one person from having too much control over any transaction or task, especially concerning asset custody, record-keeping, and authorization. For instance, the person who authorizes a payment should not be the same person who signs the check, nor should they be the one who maintains the related accounting records.

3. Documentation Procedures

Organizations are strongly advised to utilize prenumbered documents (e.g., checks, invoices, sales orders, purchase orders). These documents must be accounted for thoroughly, from issuance to completion, to ensure that all transactions are recorded and none are missing or duplicated. Employees are also required to forward source documents promptly to the accounting department for timely and accurate data entry and record-keeping.

4. Physical Controls

Physical controls should be robustly established to safeguard assets effectively. This includes physical barriers or devices to protect assets from theft or damage: examples include safes and vaults for cash and important documents, locked cabinets for valuable inventory, alarms and surveillance cameras (CCTV), time clocks for recording employee attendance, and computer passwords or biometric access controls for sensitive data.

5. Independent Internal Verification

Records should be periodically and independently verified by someone who is not involved in the original transaction or record-keeping process. This individual or department (e.g., internal audit) examines data, compares it to documented evidence, and identifies any discrepancies. These discrepancies are then reported to management for further investigation and corrective action, ensuring accuracy and detecting potential errors or fraud.

6. Human Resource Controls

Effective personnel management strategies are crucial for internal control. These include:

  • Bonding employees who manage cash: Obtaining insurance protection against theft by employees. This financial protection deters fraud and provides recourse if it occurs.

  • Rotating employee duties: Requiring employees to periodically switch roles or take mandatory vacations. This arrangement makes it harder for an employee to conceal fraudulent activities over extended periods, as another person would momentarily take over their responsibilities.

  • Requiring vacations: Similar to job rotation, mandatory vacations prevent employees from continuously concealing fraud. If an employee is never absent, it could indicate they are manipulating records to hide something.

  • Conducting thorough background checks: Verifying the honesty and reliability of prospective employees before hiring them, especially for positions involving financial responsibilities.

SOX and Human Resources

Under the Sarbanes-Oxley Act, it is critical for companies to maintain accurate and detailed records of employees’ qualifications, certifications, and training for their respective roles. This facilitates proper supervision and reinforces the separation of duties through a well-defined organizational chart that clearly delineates reporting lines and responsibilities. An interesting observation noted in the chapter is a real-world case where one corporation discovered numerous employees (400 out of 17,000) were unsupervised in their roles, while 35 employees reported to each other. This indicates significant potential control shortcomings, as a lack of clear oversight and reporting structures creates opportunities for fraud and errors.

Limitations of Internal Control

The chapter acknowledges that even well-designed internal control systems inherently have limitations which restrict their absolute effectiveness:

  1. Cost-Benefit Principle: The cost of implementing and maintaining controls should not exceed the benefits derived from them. Companies must perform a cost-benefit analysis, as overly stringent controls can be financially burdensome and impede efficiency.

  2. Human Elements: Internal controls are ultimately dependent on people. Human elements such as fatigue, carelessness, indifference, or intentional collusion (two or more employees working together to override controls) can create significant vulnerabilities, leading to errors or deliberate circumvention of controls.

  3. Business Size: The size and complexity of a business can significantly impact the effectiveness and design of internal controls. Smaller businesses, with fewer employees, may find it challenging to achieve complete segregation of duties due to limited personnel, making them more reliant on owner oversight.

  • Helpful Hint: Controls should be calibrated based on the activity's associated risk levels, leading to more stringent practices for high-risk areas like cash management, where the potential for theft or error is higher.

Practical Scenarios: Identifying Violations of Control Principles

Example 1

Scenario: An employee tasked with reconciling the bank account is also responsible for making bank deposits.

  • Violation: This presents a clear violation of the segregation of duties principle, specifically the separation of asset custody and record-keeping. Allowing the same individual to handle both cash (deposits) and the independent verification of cash records (bank reconciliation) creates an opportunity for embezzlement. The employee could easily steal cash from deposits and then manipulate the bank reconciliation to conceal the theft.

2

Scenario: A treasurer who has not taken a vacation in thirty years, thereby raising red flags regarding control.

  • Violation: This contravenes human resource controls, specifically the necessity for key employees to take mandatory time off. An employee who never takes a vacation may be doing so to continuously cover up ongoing fraudulent activities. This poses significant risks of cash embezzlement or other financial misconduct that could remain obscured because the individual in charge is always present to manipulate records.

3

Scenario: A restaurant failing to utilize prenumbered order slips to save costs.

  • Violation: This contravenes documentation procedures. Without prenumbered order slips, it becomes extremely challenging to account for all sales transactions, as there's no systematic way to track every order from creation to payment. This increases the risk of cash losses through unaccounted sales, where employees could process orders, collect cash, and pocket the money without recording the sale.

Learning Objective 2: Apply Internal Control Principles to Cash

Cash Receipt Controls

The application of internal controls is particularly crucial for cash receipts and disbursements, as cash is the most liquid and easily misappropriated asset. Controls must ensure that all cash entering the business is thoroughly documented, processed accurately, deposited promptly, and continuously monitored. Key aspects include immediate recording of cash, daily bank deposits, and separation of duties among those who handle cash, record cash, and reconcile bank accounts.

Cash Disbursement Controls

Effective controls in cash disbursement are vital to prevent unauthorized payments and ensure that all payments are legitimate business expenses. These involve:

  • Establishment of Responsibility: Only designated personnel, such as a company treasurer or specifically authorized managers, are given the authority to sign checks and approve vendors. This limits who can authorize and execute payments.

  • Segregation of Duties: Ensuring that different individuals handle the approval processes, payment executions, and record-keeping. Specifically, the person who approves an invoice for payment should not be the one who signs the check, and the check signers should not also record the disbursements in the accounting system.

  • Documentation Procedures: Stringent use of prenumbered checks and maintaining a comprehensive sequence record of all checks issued. Every check must be supported by an approved invoice from a legitimate vendor. Companies should also require corporate credit card usage for reimbursable employee expenses, and invoices should be stamped "paid" or "approved" upon payment to prevent duplicate payments.

  • Physical Controls: Keeping blank checks secure in safes or locked cabinets with limited access to authorized personnel only. Additionally, ensuring that check amounts are printed in indelible ink or secured by check-writing machines to prevent alteration.

  • Independent Internal Verification: Regularly comparing checks issued against approved invoices and supporting documentation. Critically, conducting monthly bank reconciliations by an independent party (someone not involved in cash receipts or disbursements) to identify any discrepancies between the company's cash records and the bank's records.

  • Human Resource Controls: Bonding cash-handling personnel to provide insurance against theft. Enforcing mandatory vacation periods for employees involved in cash disbursements. Executing thorough background checks on all new hires, especially for positions of financial trust.

Voucher System Controls

A voucher system is described as a comprehensive network of approvals by authorized individuals that are required for all cash disbursements. It provides an independent review and verification process before any funds are released. A voucher serves as an internal authorization form generated for each expenditure, integrating purchase requisitions, purchase orders, invoices, and receiving reports to ensure the legitimacy and accuracy of a payment. This system enhances control by centralizing and standardizing the payment approval process.

Ethics Insight: Occupational Fraud

Occupational fraud refers to the use of one's occupation (employment) for personal enrichment through the deliberate misuse or misapplication of the employer's resources or assets. Studies by ACFE (Association of Certified Fraud Examiners) typically categorize occupational fraud into three primary types:

  1. Asset Misappropriation: This is the most prevalent form of occupational fraud but typically incurs lower costs per incident compared to other types. It involves the theft or misuse of company assets. Examples include:

    • Theft of cash: Skimming (theft of cash before it is recorded) or larceny (theft of cash after it is recorded).

    • Fraudulent disbursements: Forging company checks, submitting false invoices (billing schemes), or processing fictitious payroll schemes (ghost employees).

    • False refunds: Processing fake customer returns to steal cash.

    • Creation of ghost employees: Adding fictitious employees to the payroll and intercepting their paychecks.

  2. Corruption: This type lies between asset misappropriation and financial statement fraud regarding both frequency and costs. It involves employees misusing their influence in a business transaction in a way that violates their duty to the employer. Examples include:

    • Bribery: Offering or receiving something of value to influence a business decision.

    • Illegal gratuities: Receiving something of value after a business decision has been made, without an explicit quid pro quo agreement.

    • Extortion: An employee demanding payment from an external party to make a business decision.

    • Conflicts of interest: An employee having an undisclosed economic or personal interest in a transaction that adversely affects the company.

  3. Financial Statement Fraud: Although less common than the other types, this type is typically the costliest due to its severe impacts on investors, creditors, and the overall market. It involves intentionally misstating financial information to deceive users of financial statements. Examples include:

    • Fictitious revenues: Recording sales that did not occur.

    • Concealed liabilities: Omitting expenses or liabilities to overstate profits.

    • Improper disclosures: Failing to disclose important information that impacts the fair presentation of financial statements.

    • Asset misvaluations: Overstating the value of assets or understating depreciation/amortization.

Learning Objective 3: Identify the Control Features of a Bank Account

The utilization of a bank account significantly facilitates enhanced internal controls over cash by:

  • Minimizing the cash kept on hand: By depositing cash regularly into a bank account, a company reduces the amount of physical cash on its premises, thereby decreasing the risk of theft or loss.

  • Creating double records of transactions conducted through the bank: Both the company and the bank maintain independent records of cash transactions (deposits, checks, withdrawals). This dual record-keeping system provides an essential cross-check, as discrepancies can be identified and investigated.

  • Enabling bank reconciliation processes for better accuracy monitoring: The process of comparing and adjusting the cash balance in the company's accounting records with the balance reported on the bank statement. This reconciliation identifies unrecorded deposits, outstanding checks, bank errors, and other discrepancies, ensuring the company's cash balance is accurate and complete.

    Note: The bank statement is effectively a copy of the bank's records supplied to customers, detailing deposits, withdrawals, and the current balance, provided for regular review.

Learning Objective 4: Explain the Reporting of Cash

Cash and Cash Equivalents

In financial reporting, "Cash and Cash Equivalents" is a combined line item. Cash equivalents are defined as short-term, highly liquid investments that possess two key characteristics:

  1. Are readily convertible to known amounts of cash: This means they can be quickly exchanged for a specific, predetermined amount of cash without significant delay or difficulty.

  2. Are so close to maturity that market value changes minimally affected by interest rate fluctuations: Typically, this refers to investments with original maturities of three months or less when acquired (e.g., money market funds, treasury bills, commercial paper).

Restricted Cash

Restricted cash refers to cash that is not available for general business use but is earmarked or legally set aside for specific, designated purposes. Depending on the nature of the restriction, it may be classified as either a current asset (if the restriction is short-term) or a non-current asset (if the restriction is long-term) on the balance sheet. Common reasons for restricted cash include compensating balances required by lenders, cash set aside for future plant expansion, or funds held in escrow for specific legal obligations.

Example: Reporting Cash in Financial Statements

In an example involving Delta Air Lines, Inc., a balance sheet might indicate:

  • Current assets include cash and cash equivalents totaling 2,8442,844 million (representing readily available funds and highly liquid investments).

  • Short-term investments of 959959 million (investments with maturities longer than cash equivalents but still considered current).

  • Restricted cash of 122122 million (cash held for specific purposes unavailable for general operations).