Wk 4 Discussion


1114237 – Wiley US ©


Fraud, Internal Control, and Cash

Chapter Preview
As the following Feature Story about recording cash sales at Barriques indicates, control
of cash is important to ensure that fraud does not occur. Companies also need controls to
safeguard other types of assets. For example, Barriques undoubtedly has controls to
prevent the theft of food and supplies, and controls to prevent the theft of tableware and
dishes from its kitchen.

In this chapter, we explain the essential features of an internal control system and how it
prevents fraud. We also describe how those controls apply to a specific asset—cash. The

1114237 – Wiley US ©

applications include some controls with which you may be already familiar, such as the
use of a bank.

Feature Story
Minding the Money in Madison

For many years, Barriques in Madison, Wisconsin, has been named the city’s favorite
coffeehouse. Barriques not only does a booming business in coffee but also has
wonderful baked goods, delicious sandwiches, and a fine selection of wines.

“Our customer base ranges from college students to neighborhood residents as well
as visitors to our capital city,” says bookkeeper Kerry Stoppleworth, who joined the
company shortly after it was founded in 1998. “We are unique because we have
customers who come in early on their way to work for a cup of coffee and then will
stop back after work to pick up a bottle of wine for dinner. We stay very busy
throughout all three parts of the day.”

Like most businesses where purchases are low-cost and high-volume, cash control
has to be simple. “We use a computerized point-of-sale (POS) system to keep track of
our inventory and allow us to efficiently ring through an order for a customer,”
explains Stoppleworth. “You can either scan a barcode for an item or enter in a code
for items that don’t have a barcode such as cups of coffee or bakery items.” The POS
system also automatically tracks sales by department and maintains an electronic
journal of all the sales transactions that occur during the day.

“There are two POS stations at each store, and throughout the day any of the staff
may operate them,” says Stoppleworth. At the end of the day, each POS station is
reconciled separately. The staff counts the cash in the drawer and enters this amount
into the closing totals in the POS system. The POS system then compares the cash
and credit amounts, less the cash being carried forward to the next day (the float), to
the shift total in the electronic journal. If there are discrepancies, a recount is done
and the journal is reviewed transaction by transaction to identify the problem. The
staff then creates a deposit ticket for the cash less the float and puts this in a drop
safe with the electronic journal summary report for the manager to review and take to
the bank the next day. Ultimately, the bookkeeper reviews all of these documents as
well as the deposit receipt that the bank produces to make sure they are all in

As Stoppleworth concludes, “We keep the closing process and accounting simple so
that our staff can concentrate on taking care of our customers and making great
coffee and food.”

1114237 – Wiley US ©

Chapter Outline

LO 1 Define fraud and the principles of
internal control.


The Sarbanes-
Oxley Act

Internal control

Principles of
internal control

Data analytics
and internal

Limitations of
internal control

DO IT! 1 Control

LO 2 Apply internal control principles to

Cash receipts


Petty cash fund

DO IT! 2 Control
over Cash

LO 3 Identify the control features of a
bank account.

EFT system


Reconciling the
bank account

DO IT! 3 Bank

LO 4 Explain the reporting of cash and
the basic principles of cash

Reporting cash

Managing and
monitoring cash

Cash budgeting

DO IT! 4a
Reporting Cash

DO IT! 4b Cash

Go to the Review and Practice section at the end of the chapter for a targeted
summary and practice applications with solutions.

Visit WileyPLUS for additional tutorials and practice opportunities.

1114237 – Wiley US ©

Fraud and Internal Control


Define fraud and the principles of internal control.

The Feature Story describes many of the internal control procedures used by Barriques.
These procedures are necessary to discourage employees from fraudulent activities.

A fraud is a dishonest act by an employee that results in personal benefit to the employee
at a cost to the employer. Examples of fraud reported in the financial press include the

A bookkeeper in a small company diverted $750,000 of bill payments to a personal
bank account over a three-year period.

A shipping clerk with 28 years of service shipped $125,000 of merchandise to himself.

A computer operator embezzled $21 million from Wells Fargo Bank over a two-year

A church treasurer “borrowed” $150,000 of church funds to finance a friend’s business

Why does fraud occur? The three main factors that contribute to fraudulent activity are
depicted by the fraud triangle in Illustration 7.1.

ILLUSTRATION 7.1 Fraud triangle

The most important element of the fraud triangle is opportunity. For an employee to
commit fraud, the workplace environment must provide opportunities that an employee
can take advantage of. Opportunities occur when the workplace lacks sufficient controls
to deter and detect fraud. For example, inadequate monitoring of employee actions can
create opportunities for theft and can embolden employees because they believe they will
not be caught.

1114237 – Wiley US ©

A second factor that contributes to fraud is financial pressure. Employees sometimes
commit fraud because of personal financial problems caused by too much debt. Or, they
might commit fraud because they want to lead a lifestyle that they cannot afford on their
current salary.

The third factor that contributes to fraud is rationalization. In order to justify their fraud,
employees rationalize their dishonest actions. For example, employees sometimes justify
fraud because they believe they are underpaid while the employer is making lots of money.
Employees feel justified in stealing because they believe they deserve to be paid more.

The Sarbanes-Oxley Act
What can be done to prevent or to detect fraud? After numerous corporate scandals came
to light in the early 2000s, Congress addressed this issue by passing the Sarbanes-Oxley
Act (SOX). Under SOX, all publicly traded U.S. corporations are required to maintain an
adequate system of internal control. Corporate executives and boards of directors must
ensure that these controls are reliable and effective. In addition, independent outside
auditors must attest to the adequacy of the internal control system. Companies that fail to
comply are subject to fines, and company officers can be imprisoned. SOX also created
the Public Company Accounting Oversight Board (PCAOB) to establish auditing standards
and regulate auditor activity.

One poll found that 60% of investors believe that SOX helps safeguard their stock
investments. Many say they would be unlikely to invest in a company that fails to follow
SOX requirements. Although some corporate executives have criticized the time and
expense involved in following SOX requirements, SOX appears to be working well. For
example, the chief accounting officer of Eli Lily noted that SOX triggered a comprehensive
review of how the company documents its controls. This review uncovered redundancies
and pointed out controls that needed to be added. In short, it added up to time and money
well spent.

Internal Control
Internal control is a process designed to provide reasonable assurance regarding the
achievement of company objectives related to operations, reporting, and compliance. In
more detail, the purposes of internal control are to safeguard assets, enhance the
reliability of accounting records, increase efficiency of operations, and ensure compliance
with laws and regulations. Internal control systems have five primary components as
listed below.1

A control environment. It is the responsibility of top management to make it clear that
the organization values integrity and that unethical activity will not be tolerated. This
component is often referred to as the “tone at the top.”

Risk assessment. Companies must identify and analyze the various factors that
create risk for the business and must determine how to manage these risks.

Control activities. To reduce the occurrence of fraud, management must design
policies and procedures to address the specific risks faced by the company.

Information and communication. The internal control system must capture and
communicate all pertinent information both down and up the organization, as well as

1114237 – Wiley US ©

communicate information to appropriate external parties.

Monitoring. Internal control systems must be monitored periodically for their
adequacy. Significant deficiencies need to be reported to top management and/or the
board of directors.

1114237 – Wiley US ©

People, Planet, and Profit Insight

And the Controls Are . . .

Internal controls are important for an effective financial reporting system. The same
is true for sustainability reporting. An effective system of internal controls for
sustainability reporting will help in the following ways: (1) prevent the unauthorized
use of data; (2) provide reasonable assurance that the information is accurate, valid,
and complete; and (3) report information that is consistent with overall sustainability
accounting policies. With these types of controls, users will have the confidence that
they can use the sustainability information effectively.

Some regulators are calling for even more assurance through audits of this
information. Companies that potentially can cause environmental damage through
greenhouse gases, as well as companies in the mining and extractive industries, are
subject to reporting requirements. And, as demand for more information in the
sustainability area expands, the need for audits of this information will grow.

Why is sustainability information important to investors? (Go to WileyPLUS for this
answer and additional questions.)

Principles of Internal Control Activities

1114237 – Wiley US ©

Each of the five components of an internal control system is important. Here, we will focus
on one component, the control activities. The reason? These activities are the backbone of
the company’s efforts to address the risks it faces, such as fraud. The specific control
activities used by a company will vary, depending on management’s assessment of the
risks faced. This assessment is heavily influenced by the size and nature of the company.

The six principles of control activities are as follows (see Decision Tools).

Establishment of responsibility

Segregation of duties

Documentation procedures

Physical controls

Independent internal verification

Human resource controls

We explain these principles in the following sections. You should recognize that they apply
to most companies and are relevant to both manual and computerized accounting

Decision Tools

The six principles of internal control activities help to ensure that a company’s
financial statements are adequately supported by internal controls.

Establishment of Responsibility

An essential principle of internal control is to assign responsibility to specific employees.
Control is most effective when only one person is responsible for a given task.

To illustrate, assume that the cash on hand at the end of the day in a Safeway
supermarket is $10 short of the cash entered in the cash register. If only one person has
operated the register, the shift manager can quickly determine responsibility for the
shortage. If two or more individuals have worked the register, it may be impossible to
determine who is responsible for the error.

Many retailers solve this problem by having registers with multiple drawers. This makes it
possible for more than one person to operate a register but still allows identification of a
particular employee with a specific drawer. Only the signed-in cashier has access to his or
her drawer.

Establishing responsibility often requires limiting access only to authorized personnel, and
then identifying those personnel. For example, the automated systems used by many
companies have mechanisms such as identifying passcodes that keep track of who made
a journal entry, who entered a sale, or who went into an inventory storeroom at a particular
time. Use of identifying passcodes enables the company to establish responsibility by
identifying the particular employee who carried out the activity.

1114237 – Wiley US ©

Anatomy of a Fraud

Maureen Frugali was a training supervisor for claims processing at Colossal
Healthcare. As a standard part of the claims-processing training program, Maureen
created fictitious claims for use by trainees. These fictitious claims were then sent to
the accounts payable department. After the training claims had been processed, she
was to notify Accounts Payable of all fictitious claims, so that they would not be paid.
However, she did not inform Accounts Payable about every fictitious claim. She
created some fictitious claims for entities that she controlled (that is, she would
receive the payment), and she let Accounts Payable pay her.

Total take: $11 million

The Missing Control

Establishment of responsibility. The healthcare company did not adequately restrict
the responsibility for authorizing and approving claims transactions. The training
supervisor should not have been authorized to create claims in the company’s “live”

Source: Adapted from Wells, Fraud Casebook (2007), pp. 61–70.

Segregation of Duties

1114237 – Wiley US ©

Segregation of duties is indispensable in an internal control system. There are two
common applications of this principle:

1. Different individuals should be responsible for related activities.

2. The responsibility for recordkeeping for an asset should be separate from the
physical custody of that asset.

The rationale for segregation of duties is this: The work of one employee should, without
a duplication of effort, provide a reliable basis for evaluating the work of another
employee. For example, the personnel that design and program computerized systems
should not be assigned duties related to day-to-day use of the system. Otherwise, they
could design the system to benefit them personally and conceal the fraud through day-to-
day use.

Segregation of Related Activities

Making one individual responsible for related activities increases the potential for errors
and irregularities.

Purchasing Activities

Companies should, for example, assign related purchasing activities to different
individuals. Related purchasing activities include ordering merchandise, approving orders,
receiving goods, authorizing payment, and paying for goods or services. Various frauds
are possible when one person handles related purchasing activities:

If a purchasing agent is allowed to order goods without obtaining supervisory
approval, the likelihood of the purchasing agent receiving kickbacks from suppliers

If an employee who orders goods also handles the invoice and receipt of the goods, as
well as payment authorization, he or she might authorize payment for a fictitious

These abuses are less likely to occur when companies divide the purchasing tasks.

1114237 – Wiley US ©

Sales Activities

Similarly, companies should assign related sales activities to different individuals. Related
selling activities include making a sale, shipping (or delivering) the goods to the customer,
billing the customer, and receiving payment. Various frauds are possible when one person
handles related sales activities:

If a salesperson can make a sale without obtaining supervisory approval, he or she
might make sales at unauthorized prices to increase sales commissions.

A shipping clerk who also has access to accounting records could ship goods to

A billing clerk who handles billing and receipt could understate the amount billed for
sales made to friends and relatives.

These abuses are less likely to occur when companies divide the sales tasks. The
salespeople make the sale, the shipping department ships the goods on the basis of the
sales order, and the billing department prepares the sales invoice after comparing the
sales order with the report of goods shipped.

1114237 – Wiley US ©

Anatomy of a Fraud

Lawrence Fairbanks, the assistant vice-chancellor of communications at Aesop
University, was allowed to make purchases of under $2,500 for his department
without external approval. Unfortunately, he also sometimes bought items for himself,
such as expensive antiques and other collectibles. How did he do it? He replaced the
vendor invoices he received with fake vendor invoices that he created. The fake
invoices had descriptions that were more consistent with the communications
department’s purchases. He submitted these fake invoices to the accounting
department as the basis for their journal entries and to the accounts payable
department as the basis for payment.

Total take: $475,000

The Missing Control

Segregation of duties. The university had not properly segregated related purchasing
activities. Lawrence was ordering items, receiving the items, and receiving the invoice.
By receiving the invoice, he had control over the documents that were used to account
for the purchase and thus was able to substitute a fake invoice.

Source: Adapted from Wells, Fraud Casebook (2007), pp. 3–15.

Segregation of Recordkeeping from Physical Custody

The accountant should have neither physical custody of the asset nor access to it.
Likewise, the custodian of the asset should not maintain or have access to the accounting
records. The custodian of the asset is not likely to convert the asset to personal use
when one employee maintains the record of the asset, and a different employee has
physical custody of the asset. The separation of accounting responsibility from the
custody of assets is especially important for cash and inventories because these assets
are very vulnerable to fraud.

1114237 – Wiley US ©

Anatomy of a Fraud

Angela Bauer was an accounts payable clerk for Aggasiz Construction Company.
Angela prepared and issued checks to vendors and reconciled bank statements. She
perpetrated a fraud in this way: She wrote checks for costs that the company had not
actually incurred (e.g., fake taxes). A supervisor then approved and signed the checks.
Before issuing the check, though, Angela would “white-out” the payee line on the
check and change it to personal accounts that she controlled. She was able to
conceal the theft because she also reconciled the bank account. That is, nobody else
ever saw that the checks had been altered.

Total take: $570,000

The Missing Control

Segregation of duties. Aggasiz Construction Company did not properly segregate
recordkeeping from physical custody. Angela had physical custody of the checks,
which essentially was control of the cash. She also had recordkeeping responsibility
because she prepared the bank reconciliation.

Source: Adapted from Wells, Fraud Casebook (2007), pp. 100–107.

Documentation Procedures

Documents provide evidence that transactions and events have occurred. For example,
point-of-sale terminals are networked with a company’s computing and accounting
records, which results in direct documentation.

Similarly, a shipping document indicates that the goods have been shipped, and a sales
invoice indicates that the company has billed the customer for the goods. By requiring
signatures (or initials) on the documents, the company can identify the individual(s)
responsible for the transaction or event. Companies should document transactions when
they occur.

Companies should establish procedures for documents. First, whenever possible,
companies should use prenumbered documents, and all documents should be
accounted for. Prenumbering helps to prevent a transaction from being recorded more
than once, or conversely, from not being recorded at all. Second, the control system should
require that employees promptly forward source documents for accounting entries to the
accounting department. This control measure helps to ensure timely recording of the
transaction and contributes directly to the accuracy and reliability of the accounting

1114237 – Wiley US ©

Anatomy of a Fraud

To support their reimbursement requests for travel costs incurred, employees at Mod
Fashions Corporation’s design center were required to submit receipts. The receipts
could include the detailed bill provided for a meal, the credit card receipt provided
when the credit card payment is made, or a copy of the employee’s monthly credit
card bill that listed the item. A number of the designers who frequently traveled
together came up with a fraud scheme: They submitted claims for the same
expenses. For example, if they had a meal together that cost $200, one person
submitted the detailed meal bill, another submitted the credit card receipt, and a third
submitted a monthly credit card bill showing the meal as a line item. Thus, all three
received a $200 reimbursement.

Total take: $75,000

The Missing Control

Documentation procedures. Mod Fashions should require the original, detailed
receipt. It should not accept photocopies, and it should not accept credit card
statements. In addition, documentation procedures could be further improved by
requiring the use of a corporate credit card (rather than a personal credit card) for all
business expenses.

Source: Adapted from Wells, Fraud Casebook (2007), pp. 79–90.

Physical Controls

1114237 – Wiley US ©

Use of physical controls is essential. Physical controls relate to the safeguarding of assets
and enhance the accuracy and reliability of the accounting records. Illustration 7.2 shows
examples of these controls.

ILLUSTRATION 7.2 Physical controls

1114237 – Wiley US ©

Anatomy of a Fraud

At Centerstone Health, a large insurance company, the mailroom each day received
insurance applications from prospective customers. Mailroom employees scanned
the applications into electronic documents before the applications were processed.
Once the applications were scanned, they could be accessed online by authorized

Insurance agents at Centerstone Health earn commissions based upon successful
applications. The sales agent’s name is listed on the application. However, roughly
15% of the applications are from customers who did not work with a sales agent. Two
friends—Alex, an employee in recordkeeping, and Parviz, a sales agent—thought up a
way to perpetrate a fraud. Alex identified scanned applications that did not list a sales
agent. After business hours, he entered the mailroom and found the hard-copy
applications that did not show a sales agent. He wrote in Parviz’s name as the sales
agent and then rescanned the application for processing. Parviz received the
commission, which the friends then split.

Total take: $240,000

The Missing Control

Physical controls. Centerstone Health lacked two basic physical controls that could
have prevented this fraud. First, the mailroom should have been locked during
nonbusiness hours, and access during business hours should have been tightly
controlled. Second, the scanned applications supposedly could be accessed only by
authorized employees using their passwords. However, the password for each
employee was the same as the employee’s user ID. Since employee user-ID numbers
were available to all other employees, all employees knew each other’s passwords.
Thus, Alex could enter the system using another employee’s password and access the
scanned applications.

Source: Adapted from Wells, Fraud Casebook (2007), pp. 316–326.

Independent Internal Verification

Most internal control systems provide for independent internal verification. This principle
involves the review of data prepared by employees. To obtain maximum benefit from
independent internal verification:

1. Companies should verify records periodically or on a surprise basis.

2. An employee who is independent of the personnel responsible for the information
should make the verification.

3. Discrepancies and exceptions should be reported to a management level that can
take appropriate corrective action.

Independent internal verification is especially useful in comparing recorded accountability
with existing assets. The reconciliation of the electronic journal with the cash in the point-

1114237 – Wiley US ©

of-sale terminal at Barriques is an example of this internal control principle. Other
common examples are the reconciliation of a company’s cash balance per books with the
cash balance per bank, and the verification of the perpetual inventory records through a
count of physical inventory. Illustration 7.3 shows the relationship between this principle
and the segregation of duties principle.

ILLUSTRATION 7.3 Comparison of segregation of duties principle with independent
internal verification principle

Large companies often assign independent internal verification to internal auditors.
Internal auditors are company employees who continuously evaluate the effectiveness of
the company’s internal control systems. They review the activities of departments and
individuals to determine whether prescribed internal controls are being followed. They also
recommend improvements when needed. For example, WorldCom was at one time the
second largest U.S. telecommunications company. The fraud that caused its bankruptcy
(the largest ever when it occurred) involved billions of dollars. It was uncovered by an
internal auditor.

1114237 – Wiley US ©

Anatomy of a Fraud

Bobbi Jean Donnelly, the office manager for Mod Fashions Corporation’s design
center, was responsible for preparing the design center budget and reviewing expense
reports submitted by design center employees. Her desire to upgrade her wardrobe got
the better of her, and she enacted a fraud that involved filing expense-reimbursement
requests for her own personal clothing purchases. Bobbi Jean was able to conceal
the fraud because she was responsible for reviewing all expense reports, including her
own. In addition, she sometimes was given ultimate responsibility for signing off on
the expense reports when her boss was “too busy.” Also, because she controlled the
budget, when she submitted her expenses, she coded them to budget items that she
knew were running under budget, so that they would not catch anyone’s attention.

Total take: $275,000

The Missing Control

Independent internal verification. Bobbi Jean’s boss should have verified her expense
reports. When asked what he thought her expenses for a year were, the boss said
about $10,000. At $115,000 per year, her actual expenses were more than 10 times
what would have been expected. However, because he was “too busy” to verify her
expense reports or to review the budget, he never noticed.

Source: Adapted from Wells, Fraud Casebook (2007), pp. 79–90.

Human Resource Controls

Human resource control activities include the following.

1. Bond employees who handle cash. Bonding involves obtaining insurance protection
against theft by employees. It contributes to the safeguarding of cash in two ways.
First, the insurance company carefully screens all individuals before adding them to
the policy and may reject risky applicants. Second, bonded employees know that the
insurance company will vigorously prosecute all offenders.

2. Rotate employees’ duties and require employees to take vacations. These
measures deter employees from attempting thefts since they will not be able to
permanently conceal their improper actions. Many banks, for example, have discovered
employee thefts when the employee was on vacation or assigned to a new position.

3. Conduct thorough background checks. Many believe that the most important and
inexpensive measure any business can take to reduce employee theft and fraud is for
the human resource department to conduct thorough background checks. Two tips: (1)
Check to see whether job applicants actually graduated from the schools they list. (2)
Never use telephone numbers for previous employers provided by the applicant.
Always look them up yourself.

1114237 – Wiley US ©

Anatomy of a Fraud

Ellen Lowry was the desk manager and Josephine Rodriguez was the head of
housekeeping at the Excelsior Inn, a luxury hotel. The two best friends were so
dedicated to their jobs that they never took vacations, and they frequently filled in for
other employees. In fact, Ms. Rodriguez, whose job as head of housekeeping did not
include cleaning rooms, often cleaned rooms herself, “just to help the staff keep up.”
These two “dedicated” employees, working as a team, found a way to earn a little
more cash. Ellen, the desk manager, provided significant discounts to guests who
paid with cash. She kept the cash and did not register the guests in the hotel’s
computerized system. Instead, she took the room out of circulation “due to routine
maintenance.” Because the room did not show up as being used, it did not receive …

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *