Perhaps one impediment to establishing robust internal controls designed to detect and deter corrupt actions by employees is that management does simply not know where to start. After all, it’s not like corporate governance is a core curriculum concept of most MBA programs. And to the extent internal controls are covered in those programs, the primary focus is generally on SOX 404 controls over financial reporting, as opposed to more “operational controls,” that would address potential corruption in other areas of the corporation’s day-to-day activities. So perhaps we should cut management some slack and stop having such high expectations for their performance in this area.
On the other hand, it ain’t rocket science either. Accounting and other professional service firms routinely deploy recent college graduates to evaluate internal controls. Apparently those recent graduates can be taught what to look for, and can be sensitized to the point that, should they trip over an internal control problem, they can tell somebody about it. It seems rather obvious that it doesn’t take an MBA from a fancy Ivy League college to effectively address corporate governance and implement an appropriate system of internal controls.
In fact, perhaps the ability to address corporate governance ought to be a prerequisite for more MBAs than is currently the case. It would seem to be a rather pressing issue. (It’s not like there is a scarcity of stories about absent (or failed) internal controls on this blog.)
A key step in developing a robust set of internal controls is to evaluate their current state. The evaluation establishes the baseline that will be compared against the “future state” of the internal control environment. That comparison will lead to identification of “gaps” that need to be remediated through enhanced processes, enhanced documentation, enhanced training … or perhaps a combination of all three.
We have developed a test for readers who want to check their abilities in this area. It is based on a real life example, ripped from today’s headlines. All factual statements are based on reported allegations and not on any proven charges. Persons (including corporations) are innocent until proven guilty in a court of law.
When you read the following story, how would you evaluate the internal controls at this entity?
Between August 2002 and October 2012, Employee D was employed as the Director of the Environmental Health and Safety Department at Entity K, where he had the authority to pay vendors without a bidding process, and without any additional approvals, for amounts less than $5,000.
Through his position at Entity K, Employee D funneled money to himself and others by directing Entity K to pay vendors at an extreme mark-up, or for work that was never done. Supplier S was the main vendor who worked with Employee D to implement the scheme. Suppler S would receive payments from Entity K and would then make payments to Employee D. Entity K paid Supplier S more than $354,000 for work purportedly done during the 10-year period.
Supplier T was a legitimate business and vendor to Entity K. Even though Supplier T was a legitimate vendor, it billed Entity K unreasonable fees for work it performed. More than $61,000 of the money Entity K paid to Supplier T was later transmitted back to Supplier S. Supplier S then made payments to Employee D. Supplier T and Employee D also facilitated the scheme by forging four re-inspection forms by listing the name and accreditation number for an accredited inspector who had not actually done the inspections in question.
Supplier J was owned by a childhood friend of Employee D. Supplier J was based out of state and had never done any work for Entity K. Employee D directed Entity K to pay Supplier J more than $221,000 for purported contract work, and more than $198,000 of that money was funneled back to Supplier S. Supplier S then made payments to Employee D.
Employee D also hired his neighbor to do odd jobs at Entity K in exchange for the neighbor creating fictitious businesses, called Supplier O and Suppler H. Employee D then allegedly created phony invoices with inflated amounts due to the neighbor and to Supplier H. Employee D directed Entity K to pay these companies $56,709, of which $49,546.50 was paid back to Supplier S. Supplier S then made payments to Employee D.
This is not a hypothetical example. This alleged scheme was active for ten years. A Grand Jury charged Employee D and his associates with racketeering for allegedly obtaining more than $686,000 through fraudulent billings to Entity K. If the suspects are convicted, racketeering carries a penalty of five to 20 years in prison, a fine or both.
So how do you assess the current state of Entity K’s internal controls? How many internal control “gaps” did you identify?
The problem describes a complex scheme. But could it have been detected with appropriate internal controls? Could it have been detected before 10 years of allegedly corrupt activities took place? Discuss.
Did you note that a single individual had the authority to both select suppliers and to authorize payments to them? Do you think that $5,000 is a reasonable authorization limit for miscellaneous services? Do you think somebody should have reviewed those under-$5,000 payments to verify that services were performed? (At least once every decade or so.) Do you think names of entities that received payments (of whatever size) could have been matched against a vendor master file in order to verify that they were legitimate companies? Do you think inspection forms could have been randomly selected for outside review? Do you think supplier addresses could have been matched against employee home addresses to see if there were any anomalous correlations?
What else did you notice? What other inexpensive, relatively effective, internal controls might have been deployed?
Are you smarter about internal controls than the management team that ran Entity K?
It ain’t rocket science.
But based on the reported allegations, it is apparently too hard for the administration team at least one accredited institution of higher education.
| < Prev | Next > |
|---|