Subject: Employee EmbezzlementServices: Write-up and accounting
Ever since 1989 IMPACT has brought its readers War Stories from the CAMICO claims files. The War Story tradition continues to this day and is one of the many distinguishing characteristics of CAMICO’s exemplary loss prevention services, designed to warn policyholders of the many pitfalls and risk exposures facing CPAs.
The result of this tradition is a collection of over 100 War Stories to date, covering a wide variety of subjects and services, available to CAMICO policyholders via the Members-only Site (www.camico.com) under “Knowledge Tree” and “CAMICO Publications.”
The following two CAMICO War Stories are from two different decades, one from 1989, and the other from more recent times. Both illustrate the dangers of one person having excessive control over an entity’s financial operations (lack of separation of duties).
War Story No. 1, the first ever published (in IMPACT 11), is still relevant today and illustrates the classic small business scenario in which one person takes advantage of an absence of adequate internal controls.
War Story No. 106 is based on a similar, more recent claim and has interesting parallels to No. 1.
Some CPA professional liability issues never change.
War Story No. 1
Subject: Employee fraud
Service: Write-up and accounting, including monthly issuance of income and expense statements and annual discussion of finances
Situation: The CPA’s client was a central California dentist with a small practice including one medical assistant and a nurse/office manager. The office manager handled most of the practice’s financial affairs, preparing checks for signatures, making entries on day sheets, and taking deposits to the bank. The office manager routinely presented the busy dentist with groups of blank checks for his signature. She then made some of the blank checks payable to her creditors including her credit card accounts, utility companies, car dealer, insurance firm and others. She sometimes forged the doctor’s signature. She then booked the expenditures under a variety of areas such as utilities and salaries. At first the office manager stole small amounts — $400 one month, then $800, then $1,200. In 12 months she had stolen almost $20,000. The amounts increased, as she became bolder. During the final nine months of the three-year fraud, she stole almost $54,000. In all, the office manager embezzled nearly $90,000 from her employer.
The CPA didn’t spot the defalcation. He provided write-up and accounting services to more than one hundred small businesses and practices, but delegated most of his work to his clerk/assistant. The clerk entered the information from the dentist’s “Post-at-Once” day sheets and mailed the statements to the dentist. The CPA did not review the income and expense statements, although such a review could have uncovered the fluctuations in salaries, utility payments and so on. He seldom, if ever, met with his client to discuss the monthly statements.
Complaint: The CPA’s client finally questioned the discrepancy between his increasing client base and decreasing income. He was angry that the CPA had not spotted the defalcation early in the scheme.
Results: The dentist, the dentist’s bank, and the CPA shared responsibility for the embezzled funds. CAMICO asserted that the bank had some responsibility for detecting the few forgeries. The dentist bore responsibility for signing blank checks — which were the primary vehicle for the theft — and not paying sufficient attention to the bookkeeping aspect of his practice. The CPA was in error for not reviewing the monthly statements. In the settlement the dentist received $13,000 from the bank, and $56,000 from CAMICO. As typically happens, nothing was recovered from the embezzler who is on probation. The dentist failed to recoup $21,000 of the $90,000 embezzled.
Loss Prevention Tips: CPAs can avoid this type of claim by heeding these tips:
- The engagement letter for this type of work should include a statement that the CPA is limited to making the entries and the client is responsible for reviewing them.
- You should attach a note to the statements requesting that the client sign and return the statements after reading them.
- You should routinely send a letter to all clients offering general advice about internal controls, including:
- Don’t sign blank checks
- Ensure that all lines on a check are filled in
- Don’t permit the same person who writes the checks to receive bank statements
- Reconcile accounts or permit the CPA to perform this service
- Screen job applicants thoroughly; check references (the office manager in the described claim was on parole for embezzlement and had used a false name and social security number when hired by the dentist)
In addition, you should take the time to review statements, comparing them with past statements. Scrutinize signatures on bank statements monthly, or at least quarterly. Finally, at least once a year you should meet with clients to review their business, discussing capital improvements and any other changes in the business or staffing.War Story No. 106
Subject: Controller embezzlement
Service: Monthly and annual compilation, bookkeeping, write-up, tax compliance
Situation: The client, an electronics parts manufacturer in the Midwest, hired a new controller without obtaining any credit checks or background investigations. The controller happened to be a veteran embezzler with multiple criminal convictions, including prison time, and he immediately set up a scheme for siphoning funds from the business to himself. He moved the business’s bank accounts from one bank to another but left the old accounts open in the first bank. He began to regularly move funds from the new accounts to the old accounts, and after finding the electronic key for wiring funds out of the old accounts, wired himself money from the accounts. (The bank had not followed its own protocols by allowing one person to transfer funds in this manner.) Within a year, he had stolen about $1 million. The thefts were discovered when vendors and suppliers to the business quit shipping materials due to nonpayment.
The CPA had acquired the client several years earlier from a merger with another CPA firm and provided bookkeeping, write-ups, tax compliance, and monthly and annual compilations, relying on the information provided to him by the controller. An “evergreen” engagement letter had been signed 10 years earlier, before the merger. The letter warned the client that the services provided “are not designed to detect employee embezzlement,” but the client had signed the letter 10 years earlier and had probably not looked at it since then.
Consequently, the client was disappointed that the CPA did not detect the embezzlement as part of his monthly services, and the client’s attorney advised him to file a claim against the CPA for the $1 million in thefts. The case went into mediation, where the CPA’s defense attorney pointed out that the client: had not obtained a background check on the new controller before hiring him; had consequently hired a convicted felon; and had signed an evergreen engagement letter warning that the services were not designed to detect embezzlement. A settlement agreement was ultimately negotiated for about $200,000.
Loss Prevention Tips:
The longer a CPA has provided services, the greater the CPA’s responsibility in the eyes of a jury. Five years of servicing a small business is enough for a jury to expect the CPA to have a profound understanding of the business, even if only “low level” services such as tax compliance and compilations are provided. Jury studies also show that juror, client and public expectations of CPAs have increased to the point where CPAs are expected to always detect fraud, and to advise and warn clients of their embezzlement/defalcation risk exposures. By advising and warning clients of their exposures, CPAs: 1) better prepare clients to address the exposures, and 2) are able to minimize liability stemming from the expectation to detect fraud.
Advice to clients about their exposures to defalcation is best provided in an advisory letter that: 1) warns about the general risks; 2) suggests steps clients can take to reduce the risks; and 3) offers annual CPA services to help address the risks. An informed client is better able to avoid defalcation. If a defalcation is later uncovered, the CPA has documented evidence of the warning. Clients should also be notified of “loose ends” such as sloppy bookkeeping and late bank reconciliations.
An engagement letter should be signed annually, as “evergreen” engagement letters will not be effective year after year, and can prolong the statute of limitations for filing a claim. The engagement letter allocates, in limiting language, the responsibilities of the engagement for the CPA and the client. A limitation of liability clause may also be effective, but the clause should be reviewed by a risk advisor or legal counsel for possible modification. If performing bank reconciliation services, an addendum to the letter should state that the services are limited in scope and are neither designed nor intended to deter or discover fraud, embezzlements or any other irregularities. Statement on Standards for Accounting and Review Services No. 21 (SSARS No. 21) now mandates CPA engagement letters be signed by their clients’ management.
Examples of internal control warning letters can be found in the Fraud Resource Center on the CAMICO Members-only Site under “Risk Management Tools and Engagement Letters.” Sample engagement letter language can be found in the Engagement Letters Resource Center on the Members-Only Site.
“War Stories,” drawn from CAMICO claims files, illustrate some of the dangers and pitfalls in the accounting profession. All names have been changed