- Email: [email protected]
Fraud at a public authority
J. of Acc. Ed. 28 (2010) 26–37
Contents lists available at ScienceDirect
J. of Acc. Ed. journal homepage: www.elsevier.com/locate/jaccedu
Case
Fraud at a public authority William G. Brucker 1, James E. Rebele ⇑ Department of Accounting and Taxation, Robert Morris University, 6001 University Boulevard, Moon Township, PA 15108, United States
a r t i c l e
i n f o
Keywords: Defalcation Internal control Fraud examination
a b s t r a c t This case describes a fraud committed at a public authority which operated a municipal facility that was used for sporting events and concerts. The fraud was committed by the authority’s chief accounting officer who stole tens of thousands of dollars in cash over a period of several years. The case describes how the cash was stolen and concealed by the authority’s chief accountant. Case questions ask students to identify internal control weaknesses that allowed the fraud to be committed, recommend improvements to internal controls, and identify how the auditor should have searched for the fraud. Assessment evidence indicates that the case is effective in meeting identified learning objectives. The case has been used in the first auditing course, and it would also be suitable for use in a forensic accounting course. Ó 2010 Elsevier Ltd. All rights reserved.
1. Introduction Covering fraud has become an important part of most auditing courses and the need for auditors to improve fraud detection is one motivation behind the expansion of forensic accounting course offerings at many universities. Of the two basic types of fraud, textbook examples and end-of-chapter materials tend to focus more on fraudulent financial reporting than on theft of assets, or defalcation. This is perhaps due to the visibility and availability of information on, for example, Enron and Worldcom as opposed to information available on thefts occurring at local businesses, government agencies, or charitable organizations. Students are, however, likely to encounter asset-theft cases in their careers and instructional resources on this type of fraud are therefore needed. Several asset-theft cases (e.g. Durtschi, 2003) are ⇑ Corresponding author. Tel.: +1 412 397 4894. 1
E-mail addresses: [email protected] (W.G. Brucker), [email protected] (J.E. Rebele). Tel.: +1 412 397 3433.
0748-5751/$ - see front matter Ó 2010 Elsevier Ltd. All rights reserved. doi:10.1016/j.jaccedu.2010.10.001
W.G. Brucker, J.E. Rebele / J. of Acc. Ed. 28 (2010) 26–37
27
available, although a potential drawback to some cases is their complexity and time needed for completing the case and for classroom discussion. This case describes a situation where an accountant working for a public authority stole tens of thousands of dollars over a period of several years. The case illustrates how ineffective internal controls create an opportunity for employees to steal assets. Students are asked to identify the internal control weaknesses that provided the opportunity for the accountant to steal cash, make recommendations to strengthen controls, and discuss how the authority’s auditor should have searched for this fraud. The case is based on a real-life event, although the names of the authorities and individuals have been changed. The case, which effectively meets important learning objectives, can be used in a first auditing or forensic accounting course. 2. Background From 1998 until 2001, Tom Smith was employed as controller for a public authority (‘‘Old Authority’’). A public authority is a type of governmental unit (in some states referred to as a special district) that is separately incorporated for the purpose of acquiring, financing, and operating real properties, such as athletic stadiums, convention centers, water systems, airports, and public transit. The goal of a public authority is to insulate local and state governments from the liabilities related to owning and operating these types of real properties. The board of directors of a public authority, once appointed, acts independently of local and state government. Old Authority owned and operated a large municipal facility (Old Facility) that was used for major athletic and entertainment events, such as football, baseball, and concerts. The Old Facility was imploded in 1999 and a new public authority (‘‘New Authority’’) immediately commenced construction on a new municipal facility that would be used for the same purposes (‘‘New Facility’’). After the Old Facility was demolished, Mr. Smith remained as the sole accounting employee of Old Authority where he continued to provide accounting services on a part-time basis. Although the Old Facility had been demolished, the Old Authority continued to exist to collect rent payments from other properties that it owned and to repay existing long-term debt. In early 2001, Mr. Smith was hired as the full-time controller for the New Authority, which owned and operated the New Facility. Smith remained employed both as the full-time controller of the New Authority and part-time accountant for the Old Authority until the fraud was detected in the fall of 2003. 3. Duties Mr. Smith’s responsibilities at the Old Authority included monthly payroll, collecting receipts, making payments, budgeting, making entries into the books of original entry, and preparing financial reports for the Board of Directors of Old Authority. Mr. Smith had access to cash in the Old Authority’s safe and he was authorized to order cash from the Old Authority’s bank in order to provide the monies cashiers needed for an event at the Old Facility (‘‘start-up cash’’). Mr. Smith had full access to all of the Old Authority’s computers. Following concerts at the Old Facility, Mr. Smith was responsible for meeting with the concert’s promoters, counting the event receipts, and returning the start-up cash to the Old Authority’s safe. Mr. Smith was charged with arranging for an armored courier to pick-up the start-up cash the next day for its return to the Old Authority’s bank. The monthly income statement and balance sheet were prepared with a financial software package utilized by Old Authority. At year-end, Mr. Smith prepared all form W-2’s and 1099s related to compensation and he was responsible for filing all tax reports. Mr. Smith had two employees who performed accounting functions under his supervision. A local accounting firm audited the Old Authority annually. Mr. Smith was responsible for assembling the documents that the auditors requested and answering their questions. Mr. Smith developed a good relationship with the auditors. Mr. Smith reported to the Chairman of the Board of Directors of the Old Authority. Smith met with the Chairman at monthly meetings where he secured the Chairman’s signature on checks that
28
W.G. Brucker, J.E. Rebele / J. of Acc. Ed. 28 (2010) 26–37
exceeded $2500.00. The Old Authority’s bank account signature authorization allowed Mr. Smith alone to sign checks up to $2500.00. From March 1999 until January 2001, while the New Authority was constructing the New Facility, Mr. Smith served as the part-time controller of the Old Authority. The other accounting employees who had reported to him at the Old Authority had been laid off. Mr. Smith and the furloughed employees received a retention bonus payment from the Old Authority equal to one-half of their annual salary. Smith’s office was moved to a remote building owned by the Old Authority. Mr. Smith maintained a check register on a computer at this remote office, but moved all of the checks and other financial documents of the Old Authority to his home in order to make performing his duties more convenient. Mr. Smith went to the remote office to pick up mail and to meet with the local accountants for the Old Authority’s annual audit examination. After the Old Authority’s operations were moved to the remote office, Mr. Smith wrote about 100 checks per year from the Old Authority’s checking account. In early 2001, Mr. Smith was hired as the full-time controller of the New Authority. He also continued to manage the books and records of the Old Authority. As controller of the New Authority, Mr. Smith had substantially the same duties that he performed for the Old Authority, including the ability to record entries into the books of original entry, access to cash in the safe, and the authorization to order event start-up cash. New Authority explicitly noted in the employment letter to Mr. Smith that his salary included the bookkeeping services he would perform for the Old Authority.
4. Discovery of the theft In June 2003, while Mr. Smith was on vacation, an accounting employee from the New Authority picked up the mail from the remote office and noted that the Old Authority’s bank statement contained a $1400 canceled check payable to Mr. Smith. It was determined that the check, which Smith paid to himself for ‘‘consulting fees,’’ was unauthorized. The New Authority’s financial staff conducted an internal audit and discovered approximately $15,000 in unauthorized checks from April 2002 through March 2003. Soon thereafter, a meeting was called by the Board of Directors of the New Authority where Mr. Smith was confronted with the $15,000 in unauthorized checks. Mr. Smith admitted to writing these checks, but then stated that there were no other unauthorized transactions. Nonetheless, following the meeting further internal audit by the financial staff discovered a total of $70,000 of unauthorized checks, $20,000 in unauthorized retention payments, and $25,000 of unauthorized payments for an insured investment account that was partially owned by Smith. Moreover, an outside agency’s parallel investigation of the New Authority’s cash disclosed a loss of approximately $15,000 in funds which had been recovered earlier from Mr. Smith. A second meeting was called with Mr. Smith at which time he admitted to the newly discovered transactions and advised there were life insurance proceeds from the insured investment that he expected to receive due to the death of the other investment participant. Mr. Smith intended to use these funds to pay restitution. Once again, he denied that there were any more unauthorized transactions. A few days after the second meeting in 2003, the financial staff discovered an unexplained $30,000 cash transaction to Mr. Smith drawn on an Old Authority bank account. The transaction appeared to be start-up cash for an event at the Old Facility, even though the Old Facility had been demolished in 1999. Mr. Smith authorized that the cash be delivered to him by armored courier. Moreover, in the course of the investigation, the financial staff found reference to a ‘‘royalty contract’’ between the Old Authority and a memento manufacturer on a computer at the remote site. The manufacturer had been producing and selling replicas of the ‘‘Old Facility’’ to sports enthusiasts as mementos and paying a royalty to the Old Authority. The Board of Directors was unaware of this agreement. On further investigation, it was discovered that the royalty checks from the memento manufacturer had been forged by Mr. Smith and deposited into his personal checking account. When Mr. Smith was confronted with this new evidence, he admitted to the transactions and again said there were no other unauthorized transactions.
W.G. Brucker, J.E. Rebele / J. of Acc. Ed. 28 (2010) 26–37
29
The financial investigators were stymied for they did not know how many computers either Authority owned. Neither Authority had any policies with regard to the use of computers. The financial investigators found at least four computers that were available to Mr. Smith, yet other information from the check register indicated that may have been at least three more computers. To add to the financial woes, the CFO of the New Authority, who supervised Mr. Smith’s activities at the New Authority as well as Mr. Smith’s diminished accounting activities for the Old Authority, admitted that he approved Mr. Smith’s taking the Old Authority’s financial documents home. The CFO stated that on one occasion when he needed the Old Authority’s checkbook, Mr. Smith had to bring it from his home. Furthermore, a review of the Old Authority’s checking account showed that on several occasions, the bank had paid checks in excess of $2500 on Mr. Smith’s signature alone, without the required second endorsement of the Board Chairman. From a review of the Old Authority’s tax records, it was clear to the financial investigators that Mr. Smith had never issued a Form W-2 or Form 1099 to recognize his compensation for any of the unauthorized payments he had taken. Lastly, as noted in the parallel investigation above, there had been another cash shortage a few months before the unauthorized consulting fee check was discovered. In February 2003, the Operations Manager of the New Authority had ordered a surprise vault check at the New Facility. The initial cash count revealed a shortage of $9050.00. Mr. Smith was contacted by the Operations Manager, since only Mr. Smith and his subordinate had the combination to the safe. Mr. Smith indicated that he had taken a ‘‘short term loan’’ and would promptly replace the funds, which he did the next day by sliding an envelope under the Operations Manager’s office door containing a $7000.00 check and $2050.00 in cash. A further detailed vault cash count determined an additional shortage of $6000.00. Mr. Smith took responsibility for this further shortage and told the Operations Manager that no there was no additional shortage. He promptly repaid this amount too. In mid-September 2003, Mr. Smith paid restitution in excess of $155,000, with money from the insured investment account proceeds. This account had been fortuitously augmented with a life insurance payment due to the death of the other participant in the investment.
5. Smith’s explanation and rationale Mr. Smith stated that his salary at the Old Authority was approximately $70,000.00. He described his duties with the Old Authority as those of a controller, where he had oversight of all financial transactions and financial controls. Mr. Smith stated that in March of 2001 he began paying himself consulting fees for what he viewed was extra work handling part-time accounting matters for the Old Authority. He usually billed approximately twenty (20) hours a month at $70.00 per hour. The $1400 check that was first uncovered in 2003 was one of these unauthorized payments. These checks were not destroyed and were marked in the check register as ‘‘consulting fees’’ to Mr. Smith at $70.00 per hour, although Mr. Smith did not submit invoices to the Old Authority for these fees. To justify the reasonableness of his fees, Mr. Smith pointed to another consultant who billed the Old Authority $70.00 per hour but did submit invoices to the Old Authority. Mr. Smith was quoted as stating that the auditors from the local accounting firm were aware of the consulting fee checks to Mr. Smith. One auditor was said to have remarked to Mr. Smith that the $70.00 per hour he was charging was a ‘‘cheap rate’’ and that ‘‘he should come work for the auditors.’’ Mr. Smith admitted he did not have Board of Director approval for the consulting fees he paid to himself, but he did not think it was a problem. He stated that he worked overtime on weeknights and weekends on Old Authority accounting matters and that he went to his remote office after work hours to pick up the mail and work overtime. Mr. Smith believed that he had earned the consulting fees. When first confronted regarding the investment account, Mr. Smith stated that he did not recall issuing checks to a financial services company. Thereafter, the New Authority officials showed him $25,000 in Old Authority canceled checks payable to a financial services company for the investment account partially owned by Mr. Smith. Only then did Mr. Smith agree that these payments were personal and not related to Old Authority business.
30
W.G. Brucker, J.E. Rebele / J. of Acc. Ed. 28 (2010) 26–37
When the Old Facility closed, employees were given one-half of their annual salary as a retention payment to keep them available for employment by the New Authority when the New Facility was completed. Mr. Smith acknowledged that he received his authorized $35,000 retention payment from the Old Authority. However, he then admitted that he paid himself an additional retention payment of $20,000, which was improper and unauthorized. Mr. Smith admitted to calling the Old Authority’s bank in July 2002 to request an event start-up cash delivery from an Old Authority checking account and he admitted that the armored courier had delivered $30,000 in cash to him at the New Facility’s money room in a sealed bank bag. Mr. Smith stated there was no event and the money did not make it to the safe. Mr. Smith used the $30,000 to pay bills and day-to-day living expenses. He also bought a vacation home, took gourmet cooking classes, and bought some expensive clothes for himself and his family. Mr. Smith disclosed that he had diverted royalty fees belonging to the Old Authority, which were from a company that manufactured replicas of the Old Facility. The royalty checks totaled about $9000.00 and were made payable to the Old Authority, directed ‘‘to the attention of Mr. Smith.’’ It seems that the ‘‘To the attention of Mr. Smith’’ language was used to dupe the bank into believing that the checks were payable to Mr. Smith. Smith removed these checks from the Old Authority’s mail and deposited them into his personal bank account.
6. How did Smith steal the cash? Mr. Smith explained that he and another employee who reported to him had the authorization code to order cash to be delivered to his office at the New Facility for event start-up cash. These cash withdrawals would appear as a charge against the Authority’s checking account. Mr. Smith selected the biggest public event scheduled for the New Facility (which is owned by the New Authority), however he ordered the event start-up cash from the Old Authority’s bank account. When the cash was delivered by armored courier to the New Facility’s money room, he signed the cash into the New Facility’s safe. Mr. Smith knew internal controls were in place with ticket seller/cashiers at each public show. The cashiers were assigned a roll of pre-numbered tickets and each cashier had to cash out and make an accounting with the event promoter for each ticket roll. The event promoter had the ability to do its own independent audit of ticket receipts, where the promoter would compare the turns on turnstile counters to the tickets sold. Internal controls here were tight. At the end of each event, after withdrawing the event start-up cash provided by the New Facility, the net ticket sales revenue from the event was placed in a locked bag and transferred to the promoter’s bank by armored courier. Mr. Smith denied stealing any ticket sales revenue. However, the procedure broke down when bagging the event start-up cash that had been withdrawn from the ticket sales funds. The event start-up cash was bagged separately and was to be sent via another armored courier back to the Old Authority’s bank for deposit into the operating account from which it had been first withdrawn to start the event. Mr. Smith admitted he could override this control procedure and did so by placing the start-up cash into the New Facility’s safe at the conclusion of the event. Mr. Smith gave the excuse that he was busy and it would save time reordering start-up cash for the next big public event if that start-up cash was left in the safe. During the next few weeks, Smith physically removed the cash by stuffing it in his suit pockets. When the next scheduled event was about to occur, he told his employees he had returned the event start-up cash to the Old Authority’s bank. He then told them he now believed it would be less cumbersome to access the New Authority’s bank account for the event start-up cash, rather than withdrawing and redelivering start-up cash to the Old Authority’s bank. When he began to confess to what he had done, Mr. Smith admitted he had used the armored courier scam before in early 2001 for about $5000, and he therefore knew that this theft scheme would work. That theft had not been detected. On balance, Mr. Smith thought he had been a good controller since he was sure that no one who was under his supervision had stolen from either Authority. Moreover, Smith viewed all of the funds he had taken as ‘‘loans’’ that he fully intended to repay from his future compensation and proceeds from the insured investment account.
W.G. Brucker, J.E. Rebele / J. of Acc. Ed. 28 (2010) 26–37
31
Case questions: 1. Identify internal control weaknesses that provided the opportunity for Mr. Smith to commit the fraud. Include in your answer both preventive and detection internal controls. 2. What recommendations would you make for strengthening controls at the New Authority? 3. Both the Old and New Authorities were audited by a local accounting firm, although the fraud was not uncovered by the external auditors. Explain how the auditors should have searched for fraud (theft of assets) at the Old and New Authorities. What tests could the auditors have performed that might have detected the fraud? Be specific.
7. Teaching notes This section presents suggested answers to the three questions assigned in the case. Internal control weaknesses, recommendations for strengthening internal control, and tests that the auditor should have performed are not listed in order of importance in the following suggested answers. Question 1: Identify internal control weaknesses that provided the opportunity for Mr. Smith to commit the fraud. Include in your answer both preventive and detection internal controls. a. One major control weakness that allowed the fraud to be committed and go undetected for years was that there was weak, almost non-existent, oversight of Mr. Smith. Smith worked independently after the Old Facility closed and he became a part-time employee of the Old Authority. With the CFO’s knowledge and implicit approval, Smith took Authority financial records to his home and only went to the office to pick up mail. This despite the fact that Smith was writing approximately 100 checks annually, even after the Old Facility shut down. Smith met with the Board of Directors Chair once a month, but the main purpose of this meeting was to have the Chairperson sign checks in amounts greater than $2500. None of Smith’s supervisors or members of the Board were monitoring Smith’s actions, even though Smith had access to bank accounts and cash. b. Requiring two signatures on checks exceeding $2500 is an effective control, although there is evidence that the bank paid checks over $2500 with just Smith’s signature. This fact in the case provides an opportunity to discuss how controls that are designed to be effective may not be effective in practice. c. Authorization controls were weak as evidenced by the fact that Smith could authorize both a transaction and the payment for that transaction. Examples of this control weakness are Smith authorizing and paying (1) an extra $20,000 retention payment when the Old Authority shut down, (2) consulting fees to do accounting work, Smith’s normal job, for the Old Authority, and (3) payments to an investment account in Smith’s name. d. Separation of duties over authorization, access to cash, and recordkeeping was ineffective, since Smith could authorize transactions and payments, make entries in the accounting records, and authorize the transfer of significant amounts of start-up cash. When the Old Authority shut down, Smith was the only remaining employee who made entries into the accounting records. At the same time, Smith was able to transfer to and from the Old Authority’s bank up to $30,000 in cash used for events still run by the Old Authority. Smith’s ability to authorize and record transactions while having access to cash enabled him to steal funds and conceal the theft. e. Physical controls over cash were weak. While it may have been necessary for Smith to have access to cash, the Old Authority should have implemented a compensating control to ensure that Smith was not the only person with such access. For example, the safeguarding control was weak because a second person was not involved with the transfer and counting of startup cash. This provided Smith with the opportunity to steal cash without anyone monitoring the transfer and handling of cash. f. Somewhat related to control e, reconciliation controls for cash were weak. At no point was anyone other than Smith reconciling the amount of cash in the vault to the accounting record of cash that should be in the vault. Moreover, Smith was performing the monthly bank reconciliation for the Old Authority despite being the person who handled cash and kept the accounting records.
32
W.G. Brucker, J.E. Rebele / J. of Acc. Ed. 28 (2010) 26–37
g. Smith was being paid consulting fees by the Old Authority. The consulting payments were being made to Smith without any documentation to support the validity of the payments. Such documentation could not exist because the work Smith was doing as a consultant was the same as what the Old Authority was paying him to do; i.e., Smith was being paid twice for the same work. Inadequate, or totally missing, documentation to support the consulting payments is therefore another control weakness. h. It appears that the Old Authority Board did not know about the royalty contract entered into by Smith. Smith was also forging checks received from this royalty contract. The fact that Smith was able to enter into a contract in the Old Authority’s name indicates a weakness in Board oversight and authorization controls. That is, Smith was able to complete a contract that should have been authorized by the Old Authority Board. i. Question 1 asks students to include both preventive and detection controls in their answers. Controls b, c, d, e, g, and h are preventive controls, while controls a and f are detection controls. Question 2: What recommendations would you make for strengthening controls at the New Authority? Since question 2 is related to question 1, students’ answers to question 2 should follow from their answers to question 1. 1. One major control weakness was the Old Authority Board’s weak oversight of Smith’s activities. A recommendation to improve controls at the New Authority should therefore be to improve Board oversight of all financial matters related to Authority activities. Improved oversight could include, for example, Board authorization and review of all financial transactions over a certain amount of money. While one Board member at the Old Authority did sign checks over $2500, oversight needs to be expanded to include all aspects of major financial transactions. 2. Controls over authorizing cash payments and transfers of start-up cash at the Old Authority were weak. Recommendations to improve authorization controls might include (1) requiring that different people authorize a transaction and subsequent cash payment for that transaction, (2) reducing the limit for two-signature checks to $1000, and (3) having a Board member approve all transfers of start-up cash. The Old Authority had a control that required two signatures for checks exceeding $2500.00. The control design was good, but the Authority’s bank paid checks over $2500 with just one signature. Lowering the limit for two signatures to $1000 may help, but for the control to be effective the New Authority has to ensure that the bank complies with the two-signature policy. Any deviations must be brought to the bank’s attention and continued violations might require changing banks. While having a Board member approve transfers of start-up cash might seem to be a burden, it should be remembered that such transfers are not daily occurrences and that each transfer involves a highly material amount of money, up to $30,000. 3. Having access to cash, being able to sign checks, and keeping the accounting records enabled Smith to steal significant amounts of money from the Old Authority. This problem was compounded by Smith being the person who reconciled the Old Authority’s bank accounts. Separation-of-duties controls therefore need to be strengthened to ensure that Authority employees with access to cash or who write checks are not involved with recording cash entries or with reconciling the bank account. 4. Smith was able to pay himself ‘‘consulting’’ fees and a second retention payment despite not having any documentation to support the validity of such payments. The New Authority should establish a documentation policy that requires (1) a complete set of documents to support all cash payments, (2) independent verification that supporting documents exist before payment is made, and (3) cancellation of documents after making payment. 5. Controls over handling cash at the New Authority need to be improved, with an emphasis on preventing the theft of cash. At the Old Authority, Smith was able to order start-up cash from the Authority’s bank, have custody of the cash while an event was in progress, and return the cash to the bank after the event ended. The New Authority should improve controls over handling start-up cash by having two employees involved with the transfer and custody of cash before, during, and after an event. Both Authority employees, along with bank employees and the courier,
W.G. Brucker, J.E. Rebele / J. of Acc. Ed. 28 (2010) 26–37
33
should be required to sign for the transfer of cash and for the amount of cash being transferred. During the event, no one employee should be able to access cash by himself or herself. The amounts of start-up cash needed for each event are material, and controls therefore need to reflect this. 6. Smith’s theft was detected when someone covering for him while he was on vacation noticed a $1400 check that was paid to Smith from the Old Authority’s bank account. This provides an opportunity to point out the importance of having a mandatory vacation policy so that employees who are stealing are not always around to cover-up their thefts. Question 3: Both the Old and New Authorities were audited by a local accounting firm, although the fraud was not uncovered by the external auditors. Explain how the auditors should have searched for fraud (theft of assets) at the Old and New Authorities. What tests could the auditors have performed that might have detected the fraud? Be specific. The case write-up does not specify how the auditors searched for fraud at the Old Authority, and there is no indication that the auditors actually conducted a fraud search. The discussion of question 3 can begin by emphasizing to students that a main function of the Old Authority was to collect rent and other cash receipts and to pay cash for debts and expenses. That is, there was a lot of cash flowing through the Old Authority, which should have heightened the auditor’s concern about the risk of theft. It is also helpful to point out that Smith was not taking extensive steps to conceal the fraud. For example, the check for the second (unauthorized) retention payment was made payable to Smith, as were checks for Smith’s ‘‘consulting’’ services. The retention and consulting payments, both for material amounts, were unauthorized and not supported by documentation, which should have been easy for an auditor to detect. Instead, the auditor told Smith that his hourly consulting rate was cheap and that he should work for the auditors. The problem appears to be that the auditor did not suspect or search for fraud at the Old Authority, or if the auditor did a fraud search, it was clearly ineffective. Students will specify different types of tests that should have been performed, but it is important that these tests begin with the cash disbursements journal. For example, there were numerous checks made out to Smith, most in the amount of $1400. Having a check made out to Smith and signed by Smith should have been a red flag. The auditor should have established that these checks to Smith were valid by tracing from the check register to supporting documentation for these payments. Since there was no supporting documentation for these payments to Smith, the fraud could have been uncovered in this way. Each accounting employee of the Old Authority was authorized to receive one retention payment. The auditor should have verified that each employee received only one retention payment and that the amount paid agreed with the amount authorized by the Old Authority Board. Since the time when these retention payments was made would be known, a simple check of the cash disbursements journal should have revealed the second payment to Smith, especially since the amount of the second check was $20,000. That is, the cash disbursements journal would show two highly material payments to Smith within a short period of time. Smith stole start-up cash, basically by putting dollar bills in his coat pockets and walking out the door. The audit tests to detect the theft of start-up cash have to begin with the auditor identifying the events held at the Old Facility. Once the auditor knows the schedule of events at the Old Facility, then he or she can trace from the events to the cash transfers to and from the bank. Each event should have resulted in one cash transfer from the bank to the Old or New Facility and a subsequent cash transfer from the Old or New Facility to the bank. Smith began leaving cash in the safe, which would enable the auditor to detect that cash was not being returned to the bank after some events. Follow-up would still be needed to trace the cash that should be in the safe. Since Smith had stolen this cash, the auditor should have been able to detect that funds were missing. Smith was making payments from the Old Authority bank account to an investment account in his name. Payments to the investment account amounted to $25,000. Such checks would not appear to have a business purpose for the Old Authority, and the checks were likely made payable to the investment company. The auditor may have been alerted to this theft by scanning the cash disbursements journal for ‘‘unusual’’ payees. Such checks should have been traced to supporting documentation to establish that there was a business purpose for the transaction. Checks were being put into an investment account under Smith’s name, which should have been evident from the supporting documentation.
34
W.G. Brucker, J.E. Rebele / J. of Acc. Ed. 28 (2010) 26–37
It would have been difficult for the auditor to detect Smith’s theft of the royalty payments. Smith appears to have entered into this agreement on his own, although he used the Old Authority’s name in the contract. The problem an auditor faces is that the contract and payments will not appear in the Old Authority’s records or books. For example, there would not be any evidence that the Board authorized entering into the contract and the royalty checks were not recorded on the Old Authority’s books. 8. Learning objectives and implementation guidance This section identifies the major learning objectives for the case and provides guidance for using the case in the first auditing course. 8.1. Learning objectives The case provides auditing students with a real-world scenario of a theft-of-asset fraud that occurred at a quasi-governmental unit. A primary learning objective of the case is to reinforce textbook coverage of internal controls in a situation that students might encounter during their careers. Controls covered in the case include oversight or monitoring, physical safeguarding of assets, authorization, separation of duties, reconciliation, and documentation. Students are first asked to identify control weaknesses that allowed the fraud to go undetected for years. Students are then asked to recommend improvements to internal controls that would reduce the risk of a similar fraud occurring. The case therefore focuses on both preventive and detection controls that relate to defalcations. Corporate scandals such as Enron, Worldcom, and Tyco, and the subsequent release of SAS 99, Consideration of Fraud in a Financial Statement Audit (AICPA, 2002), increased the importance of covering fraud detection in the first auditing course. A second primary learning objective for the case is to illustrate how auditors should search for theft-of-asset fraud. Although the client in the case is a quasigovernment entity and not a for-profit business, the case provides students with a real-world example of how to conduct a fraud search. Since the fraud was not discovered for years, the case actually points out mistakes that the auditors made, which leads to a discussion of what the auditors should have done. 8.2. Implementation guidance This case has been used multiple times in an introductory auditing course. Topics that must be covered before assigning the case include internal control, audit evidence, and fraud risk assessment. Since the case deals with a theft-of-assets fraud, it is important to first cover controls and fraud risk factors related to defalcations. The case analysis was given as an individual assignment, although it could also be completed by groups of students. Given that the case is not particularly complex or time-consuming, student groups should be limited to two or three members. Students were given two weeks to complete the case, which was sufficient time for the assignment. The case was discussed in class on the due date. While the class period where the case was discussed was one hour and 15 minutes, the case can easily be covered in a 50-minutes class session. Students are given a handout with guidelines for completing the case (see Exhibit 1). The guidelines were intended to help students analyze the case and prepare their reports, and to help the instructor grade the students’ reports by standardizing the report structure and content. Some students have a tendency to write too much, possibly thinking that instructors will be impressed by the length of the report. The five-page rule was intended to discourage excessive writing and to force students to focus on the questions asked. Five pages were adequate to answer the three case questions. Grading was facilitated by having students bullet-point their answers. This clarified for the instructor, for example, the number of internal control weaknesses identified, and it also helped detect redundancies in some students’ answers. The guidelines sheet also identifies the grading criteria, and these were reinforced when the case was assigned. Getting students to write specific answers is emphasized at our school, and this was
W.G. Brucker, J.E. Rebele / J. of Acc. Ed. 28 (2010) 26–37
35
Exhibit 1. Guidelines for completing case.
1. The due date for the case is Monday, December 1st. Late case submissions will not be accepted. 2. Cases can be no more than five pages long, double spaced with appropriate margins. A 12-point font must be used. 3. Use bullet points to structure your answers to the case questions. For example, the answer to case question 1 should be structured as: Internal Control Weakness 1:: describe the control weakness. Internal Control Weakness 2: describe the control weakness. Do not write narrative answers to any of the case questions. 4. Identify the question (in italics) prior to answering the question. For example, Identify internal control weaknesses that provided the opportunity for Mr. Smith to commit the fraud. Include in your answer both preventive and detection internal controls. Your answer would then follow the question. 5. Cases will be graded based on the comprehensiveness (e.g., number of internal control weaknesses identified), correctness (e.g., identified control weakness is actually a weakness), specificity of your answer, and writing quality. 6. Proofread your case analysis before it is submitted for grading. Points will be deducted for each misspelled word. 7. The case relates to chapters 5 (audit evidence), 6 (internal control) and 9 (fraud) in the course textbook. Some content from these two chapters will therefore be helpful in answering the case questions. therefore identified as a specific grading criterion. Despite identifying specificity as a grading criterion, some students’ answers were vague and did not incorporate much specific information from the case. This criterion will be modified in future semesters to require that students incorporate case information in all of their answers. Stating that grades would depend, in part, on the ‘‘number of internal control weaknesses identified’’ actually created a problem with a few students who identified approximately 20 internal control weaknesses, many of which were redundant. This grading criterion was modified to minimize this problem by requiring that students identify the three most important internal control weaknesses that allowed the fraud to be committed. A common problem with cases is that answers are available after the case has been assigned one time; i.e., the one-use problem. This problem can be dealt with by assigning different questions in subsequent uses of the case. For example, students might be asked to answer a question related to the fraud triangle, with most attention being paid to the opportunity to commit fraud. Students might also be asked to identify key controls for a situation that existed at the Old Authority, and to then compare those key controls with what was actually being done at the Authority. 9. Assessment Students in two sections of an introductory auditing course were asked to complete a short questionnaire that assessed the effectiveness of the case in meeting identified learning objectives. The assessment questionnaire is presented in Exhibit 2.
36
W.G. Brucker, J.E. Rebele / J. of Acc. Ed. 28 (2010) 26–37 Exhibit 2. Fraud at a public authority: Assessment questionnaire. The following questions relate to the Fraud at a Public Authority case that you recently completed. Please answer each question by circling the number that represents your opinion about different aspects of the case. Results of the questionnaire, which are anonymous, will be used to make improvements to the case.
1. Overall, completing the Fraud at a Public Authority case was a valuable learning experience: Neither Agree Strongly Disagree Disagree or Disagree Agree Strongly Agree 1 2 3 4 5 2. The case was effective as a means of reinforcing textbook coverage of internal controls in a realistic situation: Neither Agree Strongly Disagree Disagree or Disagree Agree Strongly Agree 1 2 3 4 5 3. Completing the case helped me understand how internal control weaknesses can create opportunities for fraud to be committed: Neither Agree Strongly Disagree Disagree or Disagree Agree Strongly Agree 1 2 3 4 5 4. Completing the case helped me understand the difference between internal controls that are effective for preventing fraud and internal controls that are effective for detecting fraud: Neither Agree Strongly Disagree Disagree or Disagree Agree Strongly Agree 1 2 3 4 5 5. The case was an effective way to illustrate how fraud (theft of assets) could be committed at a client’s organization: Neither Agree Strongly Disagree Disagree or Disagree Agree Strongly Agree 1 2 3 4 5 6. The case helped me learn how to design audit tests to search for different means for committing defalcation fraud: Neither Agree Strongly Disagree Disagree or Disagree Agree Strongly Agree 1 2 3 4 5 7. The case was effective for illustrating mistakes that auditors might make, which can help me avoid making similar mistakes: Neither Agree Strongly Disagree Disagree or Disagree Agree Strongly Agree 1 2 3 4 5 8. The time allowed (two weeks) for completing the case was adequate: Neither Agree Strongly Disagree Disagree or Disagree Agree Strongly Agree 1 2 3 4 5 9. Case questions were clearly worded and easily understood: Neither Agree Strongly Disagree Disagree or Disagree Agree 1 2 3 4
Strongly Agree 5
10. Guidance for how to write the case report was clear and adequate: Neither Agree Strongly Disagree Disagree or Disagree Agree Strongly Agree 1 2 3 4 5 11. The case was interesting and relevant to the auditing course: Neither Agree Strongly Disagree Disagree or Disagree Agree Strongly Agree 1 2 3 4 5 12. I would recommend using the Fraud at a Public Authority case in future classes: Neither Agree Strongly Disagree Disagree or Disagree Agree Strongly Agree 1 2 3 4 5 Thank you for completing the survey
W.G. Brucker, J.E. Rebele / J. of Acc. Ed. 28 (2010) 26–37
37
Table 1 Mean responses to assessment questionnaire. Question
Day section
Evening section
1 2 3 4 5 6 7 8 9 10 11 12
4.25 4.29 4.25 3.54 4.58 3.60 4.13 4.00 3.50 3.71 4.46 4.33
4.18 4.29 4.46 3.46 4.43 3.80 4.07 4.32 3.70 3.89 4.36 4.25
Twenty-four students in a day section and 28 students in an evening section of the first auditing course completed the assessment questionnaire. Responses were made on a five-point scale and mean responses for each question are shown in Table 1. The first identified learning objective for the case was to reinforce textbook coverage of internal controls in a situation that students might encounter during their careers. Assessment questions 2–5 relate to this learning objective. Results indicate that students in both sections (Q2; means of 4.29 in both classes) indicated that the case was effective in reinforcing textbook coverage of internal controls in a realistic situation. Students also indicated that the case helped them understand how internal control weaknesses create an opportunity for fraud (Q3; means of 4.25 and 4.46) and how defalcation fraud could be committed at a client’s organization (Q5: means of 4.58 and 4.43). The case was perceived as being less effective (Q4; means of 3.54 and 3.46) in helping students distinguish between preventive and detection controls. The second identified learning objective for the case was to illustrate how auditors should search for theft-of-asset fraud. Assessment questions 6 and 7 specifically relate to this learning objective. The case was not perceived as being highly effective for helping students learn how to design audit tests to search for defalcations (Q6, means of 3.60 and 3.80), however, the case was more effective for illustrating mistakes that auditors make, which might help students avoid similar mistakes (Q7, means of 4.13 and 4.07). Mean responses to question 1 show that students in both sections (means of 4.25 and 4.18) perceived the case to be a valuable learning experience. Students also perceived the case to be interesting and relevant to the auditing course (Q11, means of 4.46 and 4.36) and they would recommend assigning the case in future classes (Q12, means of 4.33 and 4.25). Overall, the assessment results indicate that the case achieves important learning objectives and that students find it interesting, relevant, and valuable. References American Institute of Certified Public Accountants (AICPA) 2002. Consideration of Fraud in a Financial Statement Audit. Statement on Auditing Standards No. 99. New York. Durtschi, C. (2003). The tallahassee beancounters: A problem-based learning case in forensic auditing. Issues in Accounting Education, 18(2), 137–173.
Contents lists available at ScienceDirect
J. of Acc. Ed. journal homepage: www.elsevier.com/locate/jaccedu
Case
Fraud at a public authority William G. Brucker 1, James E. Rebele ⇑ Department of Accounting and Taxation, Robert Morris University, 6001 University Boulevard, Moon Township, PA 15108, United States
a r t i c l e
i n f o
Keywords: Defalcation Internal control Fraud examination
a b s t r a c t This case describes a fraud committed at a public authority which operated a municipal facility that was used for sporting events and concerts. The fraud was committed by the authority’s chief accounting officer who stole tens of thousands of dollars in cash over a period of several years. The case describes how the cash was stolen and concealed by the authority’s chief accountant. Case questions ask students to identify internal control weaknesses that allowed the fraud to be committed, recommend improvements to internal controls, and identify how the auditor should have searched for the fraud. Assessment evidence indicates that the case is effective in meeting identified learning objectives. The case has been used in the first auditing course, and it would also be suitable for use in a forensic accounting course. Ó 2010 Elsevier Ltd. All rights reserved.
1. Introduction Covering fraud has become an important part of most auditing courses and the need for auditors to improve fraud detection is one motivation behind the expansion of forensic accounting course offerings at many universities. Of the two basic types of fraud, textbook examples and end-of-chapter materials tend to focus more on fraudulent financial reporting than on theft of assets, or defalcation. This is perhaps due to the visibility and availability of information on, for example, Enron and Worldcom as opposed to information available on thefts occurring at local businesses, government agencies, or charitable organizations. Students are, however, likely to encounter asset-theft cases in their careers and instructional resources on this type of fraud are therefore needed. Several asset-theft cases (e.g. Durtschi, 2003) are ⇑ Corresponding author. Tel.: +1 412 397 4894. 1
E-mail addresses: [email protected] (W.G. Brucker), [email protected] (J.E. Rebele). Tel.: +1 412 397 3433.
0748-5751/$ - see front matter Ó 2010 Elsevier Ltd. All rights reserved. doi:10.1016/j.jaccedu.2010.10.001
W.G. Brucker, J.E. Rebele / J. of Acc. Ed. 28 (2010) 26–37
27
available, although a potential drawback to some cases is their complexity and time needed for completing the case and for classroom discussion. This case describes a situation where an accountant working for a public authority stole tens of thousands of dollars over a period of several years. The case illustrates how ineffective internal controls create an opportunity for employees to steal assets. Students are asked to identify the internal control weaknesses that provided the opportunity for the accountant to steal cash, make recommendations to strengthen controls, and discuss how the authority’s auditor should have searched for this fraud. The case is based on a real-life event, although the names of the authorities and individuals have been changed. The case, which effectively meets important learning objectives, can be used in a first auditing or forensic accounting course. 2. Background From 1998 until 2001, Tom Smith was employed as controller for a public authority (‘‘Old Authority’’). A public authority is a type of governmental unit (in some states referred to as a special district) that is separately incorporated for the purpose of acquiring, financing, and operating real properties, such as athletic stadiums, convention centers, water systems, airports, and public transit. The goal of a public authority is to insulate local and state governments from the liabilities related to owning and operating these types of real properties. The board of directors of a public authority, once appointed, acts independently of local and state government. Old Authority owned and operated a large municipal facility (Old Facility) that was used for major athletic and entertainment events, such as football, baseball, and concerts. The Old Facility was imploded in 1999 and a new public authority (‘‘New Authority’’) immediately commenced construction on a new municipal facility that would be used for the same purposes (‘‘New Facility’’). After the Old Facility was demolished, Mr. Smith remained as the sole accounting employee of Old Authority where he continued to provide accounting services on a part-time basis. Although the Old Facility had been demolished, the Old Authority continued to exist to collect rent payments from other properties that it owned and to repay existing long-term debt. In early 2001, Mr. Smith was hired as the full-time controller for the New Authority, which owned and operated the New Facility. Smith remained employed both as the full-time controller of the New Authority and part-time accountant for the Old Authority until the fraud was detected in the fall of 2003. 3. Duties Mr. Smith’s responsibilities at the Old Authority included monthly payroll, collecting receipts, making payments, budgeting, making entries into the books of original entry, and preparing financial reports for the Board of Directors of Old Authority. Mr. Smith had access to cash in the Old Authority’s safe and he was authorized to order cash from the Old Authority’s bank in order to provide the monies cashiers needed for an event at the Old Facility (‘‘start-up cash’’). Mr. Smith had full access to all of the Old Authority’s computers. Following concerts at the Old Facility, Mr. Smith was responsible for meeting with the concert’s promoters, counting the event receipts, and returning the start-up cash to the Old Authority’s safe. Mr. Smith was charged with arranging for an armored courier to pick-up the start-up cash the next day for its return to the Old Authority’s bank. The monthly income statement and balance sheet were prepared with a financial software package utilized by Old Authority. At year-end, Mr. Smith prepared all form W-2’s and 1099s related to compensation and he was responsible for filing all tax reports. Mr. Smith had two employees who performed accounting functions under his supervision. A local accounting firm audited the Old Authority annually. Mr. Smith was responsible for assembling the documents that the auditors requested and answering their questions. Mr. Smith developed a good relationship with the auditors. Mr. Smith reported to the Chairman of the Board of Directors of the Old Authority. Smith met with the Chairman at monthly meetings where he secured the Chairman’s signature on checks that
28
W.G. Brucker, J.E. Rebele / J. of Acc. Ed. 28 (2010) 26–37
exceeded $2500.00. The Old Authority’s bank account signature authorization allowed Mr. Smith alone to sign checks up to $2500.00. From March 1999 until January 2001, while the New Authority was constructing the New Facility, Mr. Smith served as the part-time controller of the Old Authority. The other accounting employees who had reported to him at the Old Authority had been laid off. Mr. Smith and the furloughed employees received a retention bonus payment from the Old Authority equal to one-half of their annual salary. Smith’s office was moved to a remote building owned by the Old Authority. Mr. Smith maintained a check register on a computer at this remote office, but moved all of the checks and other financial documents of the Old Authority to his home in order to make performing his duties more convenient. Mr. Smith went to the remote office to pick up mail and to meet with the local accountants for the Old Authority’s annual audit examination. After the Old Authority’s operations were moved to the remote office, Mr. Smith wrote about 100 checks per year from the Old Authority’s checking account. In early 2001, Mr. Smith was hired as the full-time controller of the New Authority. He also continued to manage the books and records of the Old Authority. As controller of the New Authority, Mr. Smith had substantially the same duties that he performed for the Old Authority, including the ability to record entries into the books of original entry, access to cash in the safe, and the authorization to order event start-up cash. New Authority explicitly noted in the employment letter to Mr. Smith that his salary included the bookkeeping services he would perform for the Old Authority.
4. Discovery of the theft In June 2003, while Mr. Smith was on vacation, an accounting employee from the New Authority picked up the mail from the remote office and noted that the Old Authority’s bank statement contained a $1400 canceled check payable to Mr. Smith. It was determined that the check, which Smith paid to himself for ‘‘consulting fees,’’ was unauthorized. The New Authority’s financial staff conducted an internal audit and discovered approximately $15,000 in unauthorized checks from April 2002 through March 2003. Soon thereafter, a meeting was called by the Board of Directors of the New Authority where Mr. Smith was confronted with the $15,000 in unauthorized checks. Mr. Smith admitted to writing these checks, but then stated that there were no other unauthorized transactions. Nonetheless, following the meeting further internal audit by the financial staff discovered a total of $70,000 of unauthorized checks, $20,000 in unauthorized retention payments, and $25,000 of unauthorized payments for an insured investment account that was partially owned by Smith. Moreover, an outside agency’s parallel investigation of the New Authority’s cash disclosed a loss of approximately $15,000 in funds which had been recovered earlier from Mr. Smith. A second meeting was called with Mr. Smith at which time he admitted to the newly discovered transactions and advised there were life insurance proceeds from the insured investment that he expected to receive due to the death of the other investment participant. Mr. Smith intended to use these funds to pay restitution. Once again, he denied that there were any more unauthorized transactions. A few days after the second meeting in 2003, the financial staff discovered an unexplained $30,000 cash transaction to Mr. Smith drawn on an Old Authority bank account. The transaction appeared to be start-up cash for an event at the Old Facility, even though the Old Facility had been demolished in 1999. Mr. Smith authorized that the cash be delivered to him by armored courier. Moreover, in the course of the investigation, the financial staff found reference to a ‘‘royalty contract’’ between the Old Authority and a memento manufacturer on a computer at the remote site. The manufacturer had been producing and selling replicas of the ‘‘Old Facility’’ to sports enthusiasts as mementos and paying a royalty to the Old Authority. The Board of Directors was unaware of this agreement. On further investigation, it was discovered that the royalty checks from the memento manufacturer had been forged by Mr. Smith and deposited into his personal checking account. When Mr. Smith was confronted with this new evidence, he admitted to the transactions and again said there were no other unauthorized transactions.
W.G. Brucker, J.E. Rebele / J. of Acc. Ed. 28 (2010) 26–37
29
The financial investigators were stymied for they did not know how many computers either Authority owned. Neither Authority had any policies with regard to the use of computers. The financial investigators found at least four computers that were available to Mr. Smith, yet other information from the check register indicated that may have been at least three more computers. To add to the financial woes, the CFO of the New Authority, who supervised Mr. Smith’s activities at the New Authority as well as Mr. Smith’s diminished accounting activities for the Old Authority, admitted that he approved Mr. Smith’s taking the Old Authority’s financial documents home. The CFO stated that on one occasion when he needed the Old Authority’s checkbook, Mr. Smith had to bring it from his home. Furthermore, a review of the Old Authority’s checking account showed that on several occasions, the bank had paid checks in excess of $2500 on Mr. Smith’s signature alone, without the required second endorsement of the Board Chairman. From a review of the Old Authority’s tax records, it was clear to the financial investigators that Mr. Smith had never issued a Form W-2 or Form 1099 to recognize his compensation for any of the unauthorized payments he had taken. Lastly, as noted in the parallel investigation above, there had been another cash shortage a few months before the unauthorized consulting fee check was discovered. In February 2003, the Operations Manager of the New Authority had ordered a surprise vault check at the New Facility. The initial cash count revealed a shortage of $9050.00. Mr. Smith was contacted by the Operations Manager, since only Mr. Smith and his subordinate had the combination to the safe. Mr. Smith indicated that he had taken a ‘‘short term loan’’ and would promptly replace the funds, which he did the next day by sliding an envelope under the Operations Manager’s office door containing a $7000.00 check and $2050.00 in cash. A further detailed vault cash count determined an additional shortage of $6000.00. Mr. Smith took responsibility for this further shortage and told the Operations Manager that no there was no additional shortage. He promptly repaid this amount too. In mid-September 2003, Mr. Smith paid restitution in excess of $155,000, with money from the insured investment account proceeds. This account had been fortuitously augmented with a life insurance payment due to the death of the other participant in the investment.
5. Smith’s explanation and rationale Mr. Smith stated that his salary at the Old Authority was approximately $70,000.00. He described his duties with the Old Authority as those of a controller, where he had oversight of all financial transactions and financial controls. Mr. Smith stated that in March of 2001 he began paying himself consulting fees for what he viewed was extra work handling part-time accounting matters for the Old Authority. He usually billed approximately twenty (20) hours a month at $70.00 per hour. The $1400 check that was first uncovered in 2003 was one of these unauthorized payments. These checks were not destroyed and were marked in the check register as ‘‘consulting fees’’ to Mr. Smith at $70.00 per hour, although Mr. Smith did not submit invoices to the Old Authority for these fees. To justify the reasonableness of his fees, Mr. Smith pointed to another consultant who billed the Old Authority $70.00 per hour but did submit invoices to the Old Authority. Mr. Smith was quoted as stating that the auditors from the local accounting firm were aware of the consulting fee checks to Mr. Smith. One auditor was said to have remarked to Mr. Smith that the $70.00 per hour he was charging was a ‘‘cheap rate’’ and that ‘‘he should come work for the auditors.’’ Mr. Smith admitted he did not have Board of Director approval for the consulting fees he paid to himself, but he did not think it was a problem. He stated that he worked overtime on weeknights and weekends on Old Authority accounting matters and that he went to his remote office after work hours to pick up the mail and work overtime. Mr. Smith believed that he had earned the consulting fees. When first confronted regarding the investment account, Mr. Smith stated that he did not recall issuing checks to a financial services company. Thereafter, the New Authority officials showed him $25,000 in Old Authority canceled checks payable to a financial services company for the investment account partially owned by Mr. Smith. Only then did Mr. Smith agree that these payments were personal and not related to Old Authority business.
30
W.G. Brucker, J.E. Rebele / J. of Acc. Ed. 28 (2010) 26–37
When the Old Facility closed, employees were given one-half of their annual salary as a retention payment to keep them available for employment by the New Authority when the New Facility was completed. Mr. Smith acknowledged that he received his authorized $35,000 retention payment from the Old Authority. However, he then admitted that he paid himself an additional retention payment of $20,000, which was improper and unauthorized. Mr. Smith admitted to calling the Old Authority’s bank in July 2002 to request an event start-up cash delivery from an Old Authority checking account and he admitted that the armored courier had delivered $30,000 in cash to him at the New Facility’s money room in a sealed bank bag. Mr. Smith stated there was no event and the money did not make it to the safe. Mr. Smith used the $30,000 to pay bills and day-to-day living expenses. He also bought a vacation home, took gourmet cooking classes, and bought some expensive clothes for himself and his family. Mr. Smith disclosed that he had diverted royalty fees belonging to the Old Authority, which were from a company that manufactured replicas of the Old Facility. The royalty checks totaled about $9000.00 and were made payable to the Old Authority, directed ‘‘to the attention of Mr. Smith.’’ It seems that the ‘‘To the attention of Mr. Smith’’ language was used to dupe the bank into believing that the checks were payable to Mr. Smith. Smith removed these checks from the Old Authority’s mail and deposited them into his personal bank account.
6. How did Smith steal the cash? Mr. Smith explained that he and another employee who reported to him had the authorization code to order cash to be delivered to his office at the New Facility for event start-up cash. These cash withdrawals would appear as a charge against the Authority’s checking account. Mr. Smith selected the biggest public event scheduled for the New Facility (which is owned by the New Authority), however he ordered the event start-up cash from the Old Authority’s bank account. When the cash was delivered by armored courier to the New Facility’s money room, he signed the cash into the New Facility’s safe. Mr. Smith knew internal controls were in place with ticket seller/cashiers at each public show. The cashiers were assigned a roll of pre-numbered tickets and each cashier had to cash out and make an accounting with the event promoter for each ticket roll. The event promoter had the ability to do its own independent audit of ticket receipts, where the promoter would compare the turns on turnstile counters to the tickets sold. Internal controls here were tight. At the end of each event, after withdrawing the event start-up cash provided by the New Facility, the net ticket sales revenue from the event was placed in a locked bag and transferred to the promoter’s bank by armored courier. Mr. Smith denied stealing any ticket sales revenue. However, the procedure broke down when bagging the event start-up cash that had been withdrawn from the ticket sales funds. The event start-up cash was bagged separately and was to be sent via another armored courier back to the Old Authority’s bank for deposit into the operating account from which it had been first withdrawn to start the event. Mr. Smith admitted he could override this control procedure and did so by placing the start-up cash into the New Facility’s safe at the conclusion of the event. Mr. Smith gave the excuse that he was busy and it would save time reordering start-up cash for the next big public event if that start-up cash was left in the safe. During the next few weeks, Smith physically removed the cash by stuffing it in his suit pockets. When the next scheduled event was about to occur, he told his employees he had returned the event start-up cash to the Old Authority’s bank. He then told them he now believed it would be less cumbersome to access the New Authority’s bank account for the event start-up cash, rather than withdrawing and redelivering start-up cash to the Old Authority’s bank. When he began to confess to what he had done, Mr. Smith admitted he had used the armored courier scam before in early 2001 for about $5000, and he therefore knew that this theft scheme would work. That theft had not been detected. On balance, Mr. Smith thought he had been a good controller since he was sure that no one who was under his supervision had stolen from either Authority. Moreover, Smith viewed all of the funds he had taken as ‘‘loans’’ that he fully intended to repay from his future compensation and proceeds from the insured investment account.
W.G. Brucker, J.E. Rebele / J. of Acc. Ed. 28 (2010) 26–37
31
Case questions: 1. Identify internal control weaknesses that provided the opportunity for Mr. Smith to commit the fraud. Include in your answer both preventive and detection internal controls. 2. What recommendations would you make for strengthening controls at the New Authority? 3. Both the Old and New Authorities were audited by a local accounting firm, although the fraud was not uncovered by the external auditors. Explain how the auditors should have searched for fraud (theft of assets) at the Old and New Authorities. What tests could the auditors have performed that might have detected the fraud? Be specific.
7. Teaching notes This section presents suggested answers to the three questions assigned in the case. Internal control weaknesses, recommendations for strengthening internal control, and tests that the auditor should have performed are not listed in order of importance in the following suggested answers. Question 1: Identify internal control weaknesses that provided the opportunity for Mr. Smith to commit the fraud. Include in your answer both preventive and detection internal controls. a. One major control weakness that allowed the fraud to be committed and go undetected for years was that there was weak, almost non-existent, oversight of Mr. Smith. Smith worked independently after the Old Facility closed and he became a part-time employee of the Old Authority. With the CFO’s knowledge and implicit approval, Smith took Authority financial records to his home and only went to the office to pick up mail. This despite the fact that Smith was writing approximately 100 checks annually, even after the Old Facility shut down. Smith met with the Board of Directors Chair once a month, but the main purpose of this meeting was to have the Chairperson sign checks in amounts greater than $2500. None of Smith’s supervisors or members of the Board were monitoring Smith’s actions, even though Smith had access to bank accounts and cash. b. Requiring two signatures on checks exceeding $2500 is an effective control, although there is evidence that the bank paid checks over $2500 with just Smith’s signature. This fact in the case provides an opportunity to discuss how controls that are designed to be effective may not be effective in practice. c. Authorization controls were weak as evidenced by the fact that Smith could authorize both a transaction and the payment for that transaction. Examples of this control weakness are Smith authorizing and paying (1) an extra $20,000 retention payment when the Old Authority shut down, (2) consulting fees to do accounting work, Smith’s normal job, for the Old Authority, and (3) payments to an investment account in Smith’s name. d. Separation of duties over authorization, access to cash, and recordkeeping was ineffective, since Smith could authorize transactions and payments, make entries in the accounting records, and authorize the transfer of significant amounts of start-up cash. When the Old Authority shut down, Smith was the only remaining employee who made entries into the accounting records. At the same time, Smith was able to transfer to and from the Old Authority’s bank up to $30,000 in cash used for events still run by the Old Authority. Smith’s ability to authorize and record transactions while having access to cash enabled him to steal funds and conceal the theft. e. Physical controls over cash were weak. While it may have been necessary for Smith to have access to cash, the Old Authority should have implemented a compensating control to ensure that Smith was not the only person with such access. For example, the safeguarding control was weak because a second person was not involved with the transfer and counting of startup cash. This provided Smith with the opportunity to steal cash without anyone monitoring the transfer and handling of cash. f. Somewhat related to control e, reconciliation controls for cash were weak. At no point was anyone other than Smith reconciling the amount of cash in the vault to the accounting record of cash that should be in the vault. Moreover, Smith was performing the monthly bank reconciliation for the Old Authority despite being the person who handled cash and kept the accounting records.
32
W.G. Brucker, J.E. Rebele / J. of Acc. Ed. 28 (2010) 26–37
g. Smith was being paid consulting fees by the Old Authority. The consulting payments were being made to Smith without any documentation to support the validity of the payments. Such documentation could not exist because the work Smith was doing as a consultant was the same as what the Old Authority was paying him to do; i.e., Smith was being paid twice for the same work. Inadequate, or totally missing, documentation to support the consulting payments is therefore another control weakness. h. It appears that the Old Authority Board did not know about the royalty contract entered into by Smith. Smith was also forging checks received from this royalty contract. The fact that Smith was able to enter into a contract in the Old Authority’s name indicates a weakness in Board oversight and authorization controls. That is, Smith was able to complete a contract that should have been authorized by the Old Authority Board. i. Question 1 asks students to include both preventive and detection controls in their answers. Controls b, c, d, e, g, and h are preventive controls, while controls a and f are detection controls. Question 2: What recommendations would you make for strengthening controls at the New Authority? Since question 2 is related to question 1, students’ answers to question 2 should follow from their answers to question 1. 1. One major control weakness was the Old Authority Board’s weak oversight of Smith’s activities. A recommendation to improve controls at the New Authority should therefore be to improve Board oversight of all financial matters related to Authority activities. Improved oversight could include, for example, Board authorization and review of all financial transactions over a certain amount of money. While one Board member at the Old Authority did sign checks over $2500, oversight needs to be expanded to include all aspects of major financial transactions. 2. Controls over authorizing cash payments and transfers of start-up cash at the Old Authority were weak. Recommendations to improve authorization controls might include (1) requiring that different people authorize a transaction and subsequent cash payment for that transaction, (2) reducing the limit for two-signature checks to $1000, and (3) having a Board member approve all transfers of start-up cash. The Old Authority had a control that required two signatures for checks exceeding $2500.00. The control design was good, but the Authority’s bank paid checks over $2500 with just one signature. Lowering the limit for two signatures to $1000 may help, but for the control to be effective the New Authority has to ensure that the bank complies with the two-signature policy. Any deviations must be brought to the bank’s attention and continued violations might require changing banks. While having a Board member approve transfers of start-up cash might seem to be a burden, it should be remembered that such transfers are not daily occurrences and that each transfer involves a highly material amount of money, up to $30,000. 3. Having access to cash, being able to sign checks, and keeping the accounting records enabled Smith to steal significant amounts of money from the Old Authority. This problem was compounded by Smith being the person who reconciled the Old Authority’s bank accounts. Separation-of-duties controls therefore need to be strengthened to ensure that Authority employees with access to cash or who write checks are not involved with recording cash entries or with reconciling the bank account. 4. Smith was able to pay himself ‘‘consulting’’ fees and a second retention payment despite not having any documentation to support the validity of such payments. The New Authority should establish a documentation policy that requires (1) a complete set of documents to support all cash payments, (2) independent verification that supporting documents exist before payment is made, and (3) cancellation of documents after making payment. 5. Controls over handling cash at the New Authority need to be improved, with an emphasis on preventing the theft of cash. At the Old Authority, Smith was able to order start-up cash from the Authority’s bank, have custody of the cash while an event was in progress, and return the cash to the bank after the event ended. The New Authority should improve controls over handling start-up cash by having two employees involved with the transfer and custody of cash before, during, and after an event. Both Authority employees, along with bank employees and the courier,
W.G. Brucker, J.E. Rebele / J. of Acc. Ed. 28 (2010) 26–37
33
should be required to sign for the transfer of cash and for the amount of cash being transferred. During the event, no one employee should be able to access cash by himself or herself. The amounts of start-up cash needed for each event are material, and controls therefore need to reflect this. 6. Smith’s theft was detected when someone covering for him while he was on vacation noticed a $1400 check that was paid to Smith from the Old Authority’s bank account. This provides an opportunity to point out the importance of having a mandatory vacation policy so that employees who are stealing are not always around to cover-up their thefts. Question 3: Both the Old and New Authorities were audited by a local accounting firm, although the fraud was not uncovered by the external auditors. Explain how the auditors should have searched for fraud (theft of assets) at the Old and New Authorities. What tests could the auditors have performed that might have detected the fraud? Be specific. The case write-up does not specify how the auditors searched for fraud at the Old Authority, and there is no indication that the auditors actually conducted a fraud search. The discussion of question 3 can begin by emphasizing to students that a main function of the Old Authority was to collect rent and other cash receipts and to pay cash for debts and expenses. That is, there was a lot of cash flowing through the Old Authority, which should have heightened the auditor’s concern about the risk of theft. It is also helpful to point out that Smith was not taking extensive steps to conceal the fraud. For example, the check for the second (unauthorized) retention payment was made payable to Smith, as were checks for Smith’s ‘‘consulting’’ services. The retention and consulting payments, both for material amounts, were unauthorized and not supported by documentation, which should have been easy for an auditor to detect. Instead, the auditor told Smith that his hourly consulting rate was cheap and that he should work for the auditors. The problem appears to be that the auditor did not suspect or search for fraud at the Old Authority, or if the auditor did a fraud search, it was clearly ineffective. Students will specify different types of tests that should have been performed, but it is important that these tests begin with the cash disbursements journal. For example, there were numerous checks made out to Smith, most in the amount of $1400. Having a check made out to Smith and signed by Smith should have been a red flag. The auditor should have established that these checks to Smith were valid by tracing from the check register to supporting documentation for these payments. Since there was no supporting documentation for these payments to Smith, the fraud could have been uncovered in this way. Each accounting employee of the Old Authority was authorized to receive one retention payment. The auditor should have verified that each employee received only one retention payment and that the amount paid agreed with the amount authorized by the Old Authority Board. Since the time when these retention payments was made would be known, a simple check of the cash disbursements journal should have revealed the second payment to Smith, especially since the amount of the second check was $20,000. That is, the cash disbursements journal would show two highly material payments to Smith within a short period of time. Smith stole start-up cash, basically by putting dollar bills in his coat pockets and walking out the door. The audit tests to detect the theft of start-up cash have to begin with the auditor identifying the events held at the Old Facility. Once the auditor knows the schedule of events at the Old Facility, then he or she can trace from the events to the cash transfers to and from the bank. Each event should have resulted in one cash transfer from the bank to the Old or New Facility and a subsequent cash transfer from the Old or New Facility to the bank. Smith began leaving cash in the safe, which would enable the auditor to detect that cash was not being returned to the bank after some events. Follow-up would still be needed to trace the cash that should be in the safe. Since Smith had stolen this cash, the auditor should have been able to detect that funds were missing. Smith was making payments from the Old Authority bank account to an investment account in his name. Payments to the investment account amounted to $25,000. Such checks would not appear to have a business purpose for the Old Authority, and the checks were likely made payable to the investment company. The auditor may have been alerted to this theft by scanning the cash disbursements journal for ‘‘unusual’’ payees. Such checks should have been traced to supporting documentation to establish that there was a business purpose for the transaction. Checks were being put into an investment account under Smith’s name, which should have been evident from the supporting documentation.
34
W.G. Brucker, J.E. Rebele / J. of Acc. Ed. 28 (2010) 26–37
It would have been difficult for the auditor to detect Smith’s theft of the royalty payments. Smith appears to have entered into this agreement on his own, although he used the Old Authority’s name in the contract. The problem an auditor faces is that the contract and payments will not appear in the Old Authority’s records or books. For example, there would not be any evidence that the Board authorized entering into the contract and the royalty checks were not recorded on the Old Authority’s books. 8. Learning objectives and implementation guidance This section identifies the major learning objectives for the case and provides guidance for using the case in the first auditing course. 8.1. Learning objectives The case provides auditing students with a real-world scenario of a theft-of-asset fraud that occurred at a quasi-governmental unit. A primary learning objective of the case is to reinforce textbook coverage of internal controls in a situation that students might encounter during their careers. Controls covered in the case include oversight or monitoring, physical safeguarding of assets, authorization, separation of duties, reconciliation, and documentation. Students are first asked to identify control weaknesses that allowed the fraud to go undetected for years. Students are then asked to recommend improvements to internal controls that would reduce the risk of a similar fraud occurring. The case therefore focuses on both preventive and detection controls that relate to defalcations. Corporate scandals such as Enron, Worldcom, and Tyco, and the subsequent release of SAS 99, Consideration of Fraud in a Financial Statement Audit (AICPA, 2002), increased the importance of covering fraud detection in the first auditing course. A second primary learning objective for the case is to illustrate how auditors should search for theft-of-asset fraud. Although the client in the case is a quasigovernment entity and not a for-profit business, the case provides students with a real-world example of how to conduct a fraud search. Since the fraud was not discovered for years, the case actually points out mistakes that the auditors made, which leads to a discussion of what the auditors should have done. 8.2. Implementation guidance This case has been used multiple times in an introductory auditing course. Topics that must be covered before assigning the case include internal control, audit evidence, and fraud risk assessment. Since the case deals with a theft-of-assets fraud, it is important to first cover controls and fraud risk factors related to defalcations. The case analysis was given as an individual assignment, although it could also be completed by groups of students. Given that the case is not particularly complex or time-consuming, student groups should be limited to two or three members. Students were given two weeks to complete the case, which was sufficient time for the assignment. The case was discussed in class on the due date. While the class period where the case was discussed was one hour and 15 minutes, the case can easily be covered in a 50-minutes class session. Students are given a handout with guidelines for completing the case (see Exhibit 1). The guidelines were intended to help students analyze the case and prepare their reports, and to help the instructor grade the students’ reports by standardizing the report structure and content. Some students have a tendency to write too much, possibly thinking that instructors will be impressed by the length of the report. The five-page rule was intended to discourage excessive writing and to force students to focus on the questions asked. Five pages were adequate to answer the three case questions. Grading was facilitated by having students bullet-point their answers. This clarified for the instructor, for example, the number of internal control weaknesses identified, and it also helped detect redundancies in some students’ answers. The guidelines sheet also identifies the grading criteria, and these were reinforced when the case was assigned. Getting students to write specific answers is emphasized at our school, and this was
W.G. Brucker, J.E. Rebele / J. of Acc. Ed. 28 (2010) 26–37
35
Exhibit 1. Guidelines for completing case.
1. The due date for the case is Monday, December 1st. Late case submissions will not be accepted. 2. Cases can be no more than five pages long, double spaced with appropriate margins. A 12-point font must be used. 3. Use bullet points to structure your answers to the case questions. For example, the answer to case question 1 should be structured as: Internal Control Weakness 1:: describe the control weakness. Internal Control Weakness 2: describe the control weakness. Do not write narrative answers to any of the case questions. 4. Identify the question (in italics) prior to answering the question. For example, Identify internal control weaknesses that provided the opportunity for Mr. Smith to commit the fraud. Include in your answer both preventive and detection internal controls. Your answer would then follow the question. 5. Cases will be graded based on the comprehensiveness (e.g., number of internal control weaknesses identified), correctness (e.g., identified control weakness is actually a weakness), specificity of your answer, and writing quality. 6. Proofread your case analysis before it is submitted for grading. Points will be deducted for each misspelled word. 7. The case relates to chapters 5 (audit evidence), 6 (internal control) and 9 (fraud) in the course textbook. Some content from these two chapters will therefore be helpful in answering the case questions. therefore identified as a specific grading criterion. Despite identifying specificity as a grading criterion, some students’ answers were vague and did not incorporate much specific information from the case. This criterion will be modified in future semesters to require that students incorporate case information in all of their answers. Stating that grades would depend, in part, on the ‘‘number of internal control weaknesses identified’’ actually created a problem with a few students who identified approximately 20 internal control weaknesses, many of which were redundant. This grading criterion was modified to minimize this problem by requiring that students identify the three most important internal control weaknesses that allowed the fraud to be committed. A common problem with cases is that answers are available after the case has been assigned one time; i.e., the one-use problem. This problem can be dealt with by assigning different questions in subsequent uses of the case. For example, students might be asked to answer a question related to the fraud triangle, with most attention being paid to the opportunity to commit fraud. Students might also be asked to identify key controls for a situation that existed at the Old Authority, and to then compare those key controls with what was actually being done at the Authority. 9. Assessment Students in two sections of an introductory auditing course were asked to complete a short questionnaire that assessed the effectiveness of the case in meeting identified learning objectives. The assessment questionnaire is presented in Exhibit 2.
36
W.G. Brucker, J.E. Rebele / J. of Acc. Ed. 28 (2010) 26–37 Exhibit 2. Fraud at a public authority: Assessment questionnaire. The following questions relate to the Fraud at a Public Authority case that you recently completed. Please answer each question by circling the number that represents your opinion about different aspects of the case. Results of the questionnaire, which are anonymous, will be used to make improvements to the case.
1. Overall, completing the Fraud at a Public Authority case was a valuable learning experience: Neither Agree Strongly Disagree Disagree or Disagree Agree Strongly Agree 1 2 3 4 5 2. The case was effective as a means of reinforcing textbook coverage of internal controls in a realistic situation: Neither Agree Strongly Disagree Disagree or Disagree Agree Strongly Agree 1 2 3 4 5 3. Completing the case helped me understand how internal control weaknesses can create opportunities for fraud to be committed: Neither Agree Strongly Disagree Disagree or Disagree Agree Strongly Agree 1 2 3 4 5 4. Completing the case helped me understand the difference between internal controls that are effective for preventing fraud and internal controls that are effective for detecting fraud: Neither Agree Strongly Disagree Disagree or Disagree Agree Strongly Agree 1 2 3 4 5 5. The case was an effective way to illustrate how fraud (theft of assets) could be committed at a client’s organization: Neither Agree Strongly Disagree Disagree or Disagree Agree Strongly Agree 1 2 3 4 5 6. The case helped me learn how to design audit tests to search for different means for committing defalcation fraud: Neither Agree Strongly Disagree Disagree or Disagree Agree Strongly Agree 1 2 3 4 5 7. The case was effective for illustrating mistakes that auditors might make, which can help me avoid making similar mistakes: Neither Agree Strongly Disagree Disagree or Disagree Agree Strongly Agree 1 2 3 4 5 8. The time allowed (two weeks) for completing the case was adequate: Neither Agree Strongly Disagree Disagree or Disagree Agree Strongly Agree 1 2 3 4 5 9. Case questions were clearly worded and easily understood: Neither Agree Strongly Disagree Disagree or Disagree Agree 1 2 3 4
Strongly Agree 5
10. Guidance for how to write the case report was clear and adequate: Neither Agree Strongly Disagree Disagree or Disagree Agree Strongly Agree 1 2 3 4 5 11. The case was interesting and relevant to the auditing course: Neither Agree Strongly Disagree Disagree or Disagree Agree Strongly Agree 1 2 3 4 5 12. I would recommend using the Fraud at a Public Authority case in future classes: Neither Agree Strongly Disagree Disagree or Disagree Agree Strongly Agree 1 2 3 4 5 Thank you for completing the survey
W.G. Brucker, J.E. Rebele / J. of Acc. Ed. 28 (2010) 26–37
37
Table 1 Mean responses to assessment questionnaire. Question
Day section
Evening section
1 2 3 4 5 6 7 8 9 10 11 12
4.25 4.29 4.25 3.54 4.58 3.60 4.13 4.00 3.50 3.71 4.46 4.33
4.18 4.29 4.46 3.46 4.43 3.80 4.07 4.32 3.70 3.89 4.36 4.25
Twenty-four students in a day section and 28 students in an evening section of the first auditing course completed the assessment questionnaire. Responses were made on a five-point scale and mean responses for each question are shown in Table 1. The first identified learning objective for the case was to reinforce textbook coverage of internal controls in a situation that students might encounter during their careers. Assessment questions 2–5 relate to this learning objective. Results indicate that students in both sections (Q2; means of 4.29 in both classes) indicated that the case was effective in reinforcing textbook coverage of internal controls in a realistic situation. Students also indicated that the case helped them understand how internal control weaknesses create an opportunity for fraud (Q3; means of 4.25 and 4.46) and how defalcation fraud could be committed at a client’s organization (Q5: means of 4.58 and 4.43). The case was perceived as being less effective (Q4; means of 3.54 and 3.46) in helping students distinguish between preventive and detection controls. The second identified learning objective for the case was to illustrate how auditors should search for theft-of-asset fraud. Assessment questions 6 and 7 specifically relate to this learning objective. The case was not perceived as being highly effective for helping students learn how to design audit tests to search for defalcations (Q6, means of 3.60 and 3.80), however, the case was more effective for illustrating mistakes that auditors make, which might help students avoid similar mistakes (Q7, means of 4.13 and 4.07). Mean responses to question 1 show that students in both sections (means of 4.25 and 4.18) perceived the case to be a valuable learning experience. Students also perceived the case to be interesting and relevant to the auditing course (Q11, means of 4.46 and 4.36) and they would recommend assigning the case in future classes (Q12, means of 4.33 and 4.25). Overall, the assessment results indicate that the case achieves important learning objectives and that students find it interesting, relevant, and valuable. References American Institute of Certified Public Accountants (AICPA) 2002. Consideration of Fraud in a Financial Statement Audit. Statement on Auditing Standards No. 99. New York. Durtschi, C. (2003). The tallahassee beancounters: A problem-based learning case in forensic auditing. Issues in Accounting Education, 18(2), 137–173.