The following circumstances are based on an actual case study. Names have been changed for privacy reasons.
Jane Dosh was the controller and trusted employee of ABC Co., a small, tight-knit family business catering to high-net-worth families and individuals, for nearly 15 years. As Controller, she managed many aspects of ABC’s finances, such as paying bills, managing payroll, and purchasing supplies for the company and customers, under the supervision of Robert Smith, company co-founder.
Smith was responsible for overseeing the company’s finances. When he passed away in 2011, his financial responsibilities were added to Dosh’s workload due to his impressive track record with the company. The added responsibility meant she handled all aspects of the company’s finances without any oversight. She continued in this role for the following years until she unexpectedly stepped down on December 31, 2016.
Heather Dittman, chief internal auditor, was ABC’s only internal auditor. As part of its annual plan, Dittman conducted a standard review of the accounts payable process. The audit program included sampling operations, verification of supporting documentation and confirmation of appropriate authorizations. During her last review, she documented several unsubstantiated and unexplained transactions.
Unable to get answers from Dosh and concerned about the missing records, Dittman raised her concerns with the CEO and CFO and recommended a forensic examination. Given Dosh’s control over financial processes, it seemed possible that she defrauded the company and covered it up. Concerned about the scale of the fraud and the company’s ability to recover the money, management agreed to the forensic examination.
The forensic examination began with traditional Dosh physical surveillance to uncover the facts necessary to understand the fraud. On the second day of monitoring, Dosh went to a local clothing store. This piece allowed investigators to put the rest of the puzzle together.
Dosh wanted to be an entrepreneur, but she lacked funding. When Smith died, another employee, Helen Brown, got a company credit card, and Dosh took the chance. She had access to the new card information and knew that no one but her would monitor credit card activity. Dosh created a store account using Brown’s company credit card. She paid for her corporate card purchases monthly from ABC’s checking accounts.
When forensic investigators recovered the contents of Dosh’s company computer hard drive, they found detailed plans for a clothing and accessories store owned by Dosh. She had also forged the signature of the co-founder of the second company on several fraudulent checks to purchase personal goods and services, including payments to family businesses.
Private investigators followed Dosh for weeks to locate where she stored the fraudulent purchases. Forensic accountants sifted through years of company financial records to account for the total amount of fraud. In just five years, she embezzled more than $4 million from the company.
ABC and investigators turned the case over to law enforcement. ABC then implemented several policies and procedures to prevent the company from falling victim to further fraud, including:
Disperse cash only after proper authorization from management and only with double approval above certain thresholds to verify that company funds are being spent for approved business purposes
Review all cash receipts and disbursements for fraud and accounting errors as part of monthly bank reconciliation
Separating financial duties so that no one person takes care of all the responsibilities
Backup of all financial transaction source documents to multiple locations so that documents are not lost if one of the locations is compromised
Develop a systematic potential risk assessment process that enables internal audit to review, assess and identify weaknesses in internal controls and also flags high risk areas for fraud
Lessons learned from this cautionary tale:
· No company is immune to fraud. Establish internal policies and procedures that segregate duties, promote accurate documentation, and systematically assess and help address potential risks.
· Internal auditors should use a fraud risk assessment to help managers of small businesses understand the extent of their vulnerability to fraud. Significant gaps in procedure or segregation of duties can be identified during the process without substantial investment.
· Internal auditors should include a fraud risk assessment as a standard in their work plans. It applies to all businesses and is the most compelling method of informing management about fraud vulnerabilities.
· Internal audit should know when to involve a forensic investigator. Forensic professionals can provide different tools, such as erased hard drive recovery and monitoring, and will preserve the chain of evidence in a fraud case.
For more information on fraud risk and assessment, contact Frank Rudewicz at [email protected] or 617-221-1978. For more information about CliftonLarsonAllen LLP, visit CLAconnect.com.