'If things can go wrong, they will' is an old management adage. And if the organisation in question is very large, they most certainly will and perhaps, sooner than later. If it happens to be a really gargantuan one, such as the US defence forces, things can go wrong in the most spectacular fashion, as recent events in Afghanistan so amply demonstrated. Organisations respond to risk by putting in place control systems to ensure that processes are so designed that each one ends up overseeing the process that precedes it. No single individual is responsible for a whole range of activities in the value chain.
But smaller organisations do not always have the luxury of splitting up processes among several individuals such that a good internal control system is complied with. Not surprisingly, a host of activities gets concentrated in the hands of specific individuals, who control significant aspects of the value chain and expose the organisation to losses either by design (fraud) or by accident.
That is precisely what happened to Collin Street Bakery, a small-town business engaged in making bakery products (fruit-cakes, mostly) in the state of Texas in the US. Sandy Jenkins, its financial controller and the second senior-most official in charge of the finance function, ended up embezzling $17 million of the firm's cash over a ten-year period between 2004 and 2013. A local magazine, Texas Monthly, in its latest issue (January 2016) has a detailed account of how this was pulled off and how it finally came to be unravelled. You can read it at http://www.texasmonthly.com/articles/just-desserts/
As frauds go, it was simplicity itself. It started by his simply dipping one’s hand into the cash-box and passing it off as petty cash expenses of the firm, to begin with, and later graduating to writing out cheques on the firm's bank account to meet his personal expenses ranging from Dom Perignon (Champagne) to Rolex watches to a Toyota Lexus and even paying for chartered private planes.
Sole authority
Jenkins was able to do so without anybody getting wind of it as the authority to approve any payment as genuine business expenditure — writing out a cheque or doling out cash; accounting for such payment and then preparing the management performance reports (the company's profit and loss account and balance sheet) and all such tasks — vested solely in his hands. The last aspect of his duties — performance analysis — was particularly significant as he was able to convince the top management that the company was not making any profits as the operations, which had been expanded over the years, both in scale and scope, were costing the firm a lot more than what was initially assumed.
The fraud eventually came to light when a junior accountant was going over the voided cheques (a sort of a duplicate of the actual cheque that is being issued in favour of a payee) statement and saw the name of a finance company for a credit card payment that had no business dealings with the bakery. She asked Jenkins about it and something in his manner aroused her curiosity and she decided to dig deeper. There were payments to all manner of suppliers and creditors who had no business dealings with the bakery. In no time at all, the enormity of the fraud had come to light.
How could something like this have happened is a question that immediately springs to one’s mind. Surely there should have been some checks and balances, even if the business is not exactly General Electric or IBM? Well, a more nuanced answer to that question would be that if Bear Stearns, Lehman Brothers, AIG, Countrywide, etc., which are by no means the financial equivalent of mom and pop grocery stores, were brought to their knees by an absence of internal checks and balances — triggering, in the process, the global financial crisis of 2008 — why should a middling bakery in Texas be any exception?
When controls atrophy
Internal controls in an organisation, even if they are robust enough at the time they are introduced, tend to atrophy over time. Sometimes, it is because the external environment has changed, rendering the control system obsolete. But, more often than not, control systems lose their potency because the managers administering them take it as a routine to be gone through with and, hence, the application of mind that is so crucial to the process ends up becoming almost non-existent.
Here’s an anecdotal example of how this happens. Imagine an organisation with a large volume of purchases and vendor payments to contend with. How does it ensure that it pays only for goods supplied or services rendered to it and not allow some surreptitious payment to go through? The internal control for such an operation will have the following ingredients: One, there must be evidence that the goods for which payment is sought to be made had actually come from outside the factory. That means that a supplier’s delivery challan must bear the endorsement of the security staff at the factory gate, that the goods came from outside. There must be evidence that the goods were received and taken into the factory’s inventory records.
Then, there must be evidence that the goods were inspected and found to be of acceptable quality. Internal document of goods received must then be linked by the accounts department to a copy of the invoice received from the supplier, so that it makes payment only for those invoices that are properly linked to documentary evidence of goods having been received and inspected. Another person within the accounts department scrutinises the supply against the purchase order for the rate and the committed quantity on order (the latter requirement meant to ensure that a supplier does not dump goods in excess of the quantity ordered).
This is vetted by another person to ensure that due diligence prima facie appears to have been exercised in scrutinising the financial claim against the organisation. He then authorises the generation of a ‘payment advice’ document (for preparation of a cheque). The cheque gets prepared and is signed by an altogether different individual in the accounts department. The instrument then gets mailed by another person in some other department (central mailing).
No system is fool-proof
On the face of it, one would say that here is a fool-proof system, where simply nothing can go wrong. Let us see how this can degenerate into a system where the output is at variance with the goals of the system (avoiding fraudulent or erroneous payments).
The system should work reasonably well if the daily volume of transactions is small. But if the volume expands to hundreds of transactions a day, the situation cries out for some kind of automation, of some of the processes at least. You should not be writing out the name of the supplier and the address where payment should be sent every time there is a transaction. A master database of suppliers, with numerical codes assigned to each and every registered supplier, is prepared. The supplier’s invoice is tagged with a cover sheet, which records not the name of the supplier but the code number assigned to him within the internal system. This is then taken as an input for the computer which decodes it later from the master database to generate a payment advice and later print out a cheque bearing the supplier’s name. But the system would not have reckoned with the quirks in the way people write numbers.
Number jumble
Imagine a supplier whose code number ends with the last digit being an ‘8’. Now, there is an ‘Arabic’ way of writing the numeral ‘8’. You start at the right hand top corner, cursively drag the pen down from right to left, then loop down left to right and go back up to the starting point (right top corner). And there is an ‘Indic’ way of writing the same number. You start from the left hand top corner and cursively drag the pen to the bottom right and re-loop back up to the starting point (left top corner). The problem with the ‘Indic’ way of writing the numeral is that if the ball-point pen’s ink dries up along the way, the number could resemble a ‘7’ or ‘9’ rather than an ‘8’.
The automation process only checks for the validity of a supplier code but the not supplier identity itself. That is supposed to be taken care of at the time the payment advice is authorised or when the cheque is signed against the accounting documents (supplier’s invoice, goods receipt document, and so on). Now it is not inconceivable that the two layers of verification (authorising the payment advice and signing a cheque) can be performed in such a perfunctory way that oversight is completely missing, a number written in haste is interpreted as another number, and the payment goes to a wrong supplier.
Clearly, a large volume of transactions can reduce human checks and balances to nothing. A situation that is as fraught with risk as one where all accounting power is vested with one individual.