Chapter 4: Fraud, Internal Control, and Cash Management

Welcome to Last Minute Lecture.

This free chapter overview is designed to help students review and understand key concepts.

These summaries supplement not replaced the original textbook and may not be redistributed or resold.

For complete coverage, always consult the official text.

It's amazing, isn't it?

The things people will do for money.

Yeah, some stories really make you wonder.

Like this Green Valley Coffee Company case.

I mean, their own controller stealing millions right under their noses.

Five million dollars over almost a decade.

It's hard to fathom.

Exactly.

You'd think with all the checks and balances companies have in place, something like that would be impossible.

You'd think so.

But that's why we're here, right?

Absolutely.

For our listeners, we want to provide that clear, concise breakdown of what went wrong and how to prevent it.

This deep dive is your shortcut to understanding the crucial stuff internal controls and how to manage cash effectively.

Right on.

It's not just about preventing intentional fraud either.

Oh, absolutely.

It's about protecting businesses from those unintentional errors that can be just as costly.

Totally.

So today, we'll be dissecting what fraud actually is, the different types, the sheer scale of its impact globally.

Then we'll dig into why internal controls are non -negotiable for any business that wants to stay afloat.

Absolutely.

And we'll get specific too, looking at controls for cash, the importance of things like bank reconciliations, and how all of this ties into a company's balance sheet.

Yeah.

Because ultimately, it's about having a practical understanding of how businesses make sure their money is safe and maintain that all -important trust with everyone involved.

Exactly.

Okay.

So let's start with the basics.

What exactly is fraud?

Well, at its core, it's intentional deception.

Someone deliberately misrepresenting information to gain something or cause harm.

And it's a bigger problem than many people realize.

I bet.

I remember seeing some statistics from the Association of Certified Fraud Examiners, or ACFE.

Their reports are always pretty eye -opening.

Oh, they are.

They consistently find that organizations lose about 5 % of their revenue every year because of fraud.

5 %?

That's huge.

It is.

And when you think about how much business is done globally, the total amount lost is just staggering.

It makes you wonder, is it mostly these massive corporate scandals we hear about in the news?

Or does this happen in everyday businesses, too?

It's both, actually.

The ACFE data shows that the typical loss in a case of occupational fraud, where an employee is doing something wrong, is around $150 ,000.

So that's more like our Green Valley coffee situation.

Exactly.

And these smaller -scale frauds are more common.

But here's the thing.

A good chunk of cases, about a quarter of them, actually end up costing over a million dollars.

Wow.

And there's also a link between how long someone's been with a company and how much they might steal.

Really?

Yeah.

Longer tenure, bigger potential loss.

It's a bit unsettling, right?

It is.

You'd think you could trust people more the longer they've been around.

Well, trust is important, but you can't rely on it solely.

You need systems in place.

Makes sense.

So in the Green Valley coffee case, specifically, what kind of fraud was their controller, Joe Johnson, pulling off?

That falls under misappropriation of assets.

Basically, it's when an employee uses their position to steal company resources, usually and then they try to cover their tracks by messing with the records.

So he was taking money that didn't belong to him.

Right.

He was using company funds to pay his personal credit card bills, basically funding his lifestyle on the company dime.

And they didn't catch on for nine years.

Their internal controls were weak, especially in separating duties and having someone review checks before they went out.

Those are big red flags.

I see.

And those weaknesses gave him the opportunity to steal.

But there are other ways this type of fraud plays out.

Think inventory theft, bribery,

even inflating expense reports.

It's all misappropriation of assets.

So that's one category.

What other major types of fraud should companies be wary of?

Well, there's fraudulent financial reporting.

This one's different.

Usually it's management doing it, and it's not about directly stealing money.

So what's the goal?

It's about making the company look better than it really is.

Ah, cooking the books.

Pretty much.

They manipulate the financial reports to deceive investors, maybe boost stock prices or secure loans they wouldn't normally get.

Like those huge scandals with Enron and Worldcom back in the day.

Exactly.

Those were massive cases of fraudulent financial reporting,

totally rocked investor confidence and the market as a whole.

So Enron, they were using those shell companies and stuff to hide debt, right?

Yeah, to inflate their profits.

And Worldcom, they were misclassifying expenses to make their earnings look bigger.

Crazy.

Now here's a surprising thing.

While asset misappropriation is more common, the financial losses from fraudulent financial reporting are often way bigger.

Really?

Yeah.

But both ultimately boil down to twisting the financial records to paint a false picture of the company's health.

Right.

And whether it's small -scale theft or large -scale deception,

the ripple effects of fraud go way beyond just the money lost.

Oh, absolutely.

You're talking about damage reputations, job losses, a decline in a company's value, the impact on investor trust, the market overall.

It's huge.

And to really understand what drives people to commit fraud, it's helpful to consider the fraud triangle.

The fraud triangle.

Okay, I've heard of that.

Break it down for us.

Sure.

So you have three elements.

Motive, opportunity, and rationalization.

Motive is usually about financial pressure.

Like debt, maybe.

Exactly.

Maybe someone's in over their head with debt or they want a lifestyle they can't afford legitimately.

Greed plays a role, too.

Makes sense.

Opportunity comes from weaknesses in a company's internal controls.

Like what happened to Green Valley Coffee?

Precisely.

Poor separation of duties, unchecked access to assets.

These are all opportunities for fraud to flourish.

And a company culture where ethics aren't emphasized, that can also breed opportunity.

Right.

Because if everyone's cutting corners, it sets a bad example.

Exactly.

And then there's rationalization.

This is how fraudsters convince themselves that what they're doing is okay.

Like justifying it in their own mind.

Exactly.

They might think, I deserve this, or no one will get hurt, or I'll pay it back later.

These are all ways to make peace with their dishonesty.

It's a slippery slope.

It is.

And stepping back, it's important to remember that fraud isn't just an economic or legal problem, it's an ethical one.

It's about people taking advantage of others for personal gain.

And that ultimately undermines trust in the whole system.

It's about doing the right thing, even when no one's looking.

Exactly.

So how can businesses prevent this from happening in the first place?

That's where internal control comes in.

Internal control.

Okay, so what exactly does that mean?

Think of it as a framework.

It's a system of policies, procedures, all designed to help management and the board of directors safeguard the company's assets.

Safeguard from what?

From everything.

Waste, fraud, and efficiency.

It's about making sure employees follow the rules, ensuring accurate record keeping, and complying with all the laws and regulations.

It sounds pretty comprehensive.

Are companies required to have these internal controls?

Oh, absolutely.

Especially publicly traded companies.

That's where the Sarbanes -Oxley Act, or SOX, comes in.

It was passed after those big accounting scandals we talked about.

Penron and all that.

Exactly.

SOX basically says, look, you need to have strong internal controls over your financial reporting and the CEO and CFO have to personally sign off on it.

So they're held accountable.

Big time.

If they don't comply, there can be huge fines, even jail time.

The book actually has an example of a management report on internal controls from a public company.

It's pretty serious stuff.

No kidding.

So internal controls are like a company's first line of defense, protecting both the company itself and the people who have a stake in it.

Think of it as a series of barriers, like in Exhibit 4 -3.

Each barrier is designed to lower the risk of fraud, waste, or errors.

OK, I like that visual.

It also ensures that everything's done ethically and transparently.

And that's key for a healthy financial system overall.

Right, because transparency builds trust.

Exactly.

Now, to build a solid internal control system, you need five key components.

They all work together like a, well, a building as shown in Exhibit 4 -4.

A building.

OK, I'm intrigued.

Let's break down these five components.

Sure.

The foundation of our building is the control environment.

This is all about the tone at the top, the culture of the organization.

So if the leaders are ethical, it trickles down.

Precisely.

Management's commitment to doing things the right way is crucial.

Many companies even create a formal code of ethics.

What kind of things are usually in a code of ethics?

Oh, you know, things like bribery, conflicts of interest, social responsibility.

It outlines what's OK and what's absolutely not OK.

That's the ground rules.

Exactly.

The next level up in our building is risk assessment.

So figuring out what could go wrong.

Exactly.

It's about identifying and analyzing the risks that could prevent the company from achieving its goals.

For example, a food company like Kraft would be really concerned about contamination, right?

Of course.

Food safety is huge for them.

Right.

And an airline like Southwest, their big focus would be on flight safety.

Makes sense.

Every business has to think about financial risks, too, like the risk of fraud or even bankruptcy.

Once they identify the risks, then management can figure out how to reduce them.

So knowing your enemy is the first step to defeating it.

Exactly.

The third component is all about information and communication.

This is how companies capture, process, and report their data.

Both financial and non -financial, right?

Right.

This includes their accounting system, which is crucial for keeping accurate financial records.

A solid information system makes sure transactions are initiated properly, authorized, recorded accurately, and reported on time.

So it's about having a reliable flow of information.

Precisely.

Without that, you can't make good decisions or maintain control.

Now the fourth component is where the rubber meets the road.

This is about control activities.

So what are they actually doing to address those risks?

Exactly.

These are the specific actions management puts in place to mitigate those risks we identified earlier.

This happens at every level of the company, in every department.

Give us some examples.

Sure.

Think about segregation of duties, performance reviews, physical controls over assets, and the way information is processed.

We'll get into more detail about these later on.

Sounds good.

And the final piece of the puzzle.

That's monitoring activities.

This is where companies make sure their internal control system is actually working.

So it's not a set it and forget it kind of thing.

Definitely not.

It's about constantly evaluating and making adjustments as needed.

Internal auditors play a big role here, as do external auditors who provide an independent assessment.

So it's about having checks and balances on the checks and balances.

Exactly.

And one more important thing in monitoring is exception reporting.

What's that?

It's about identifying and investigating anything unusual or unexpected.

Like if sales suddenly drop in one region or expenses spike in a particular department, you dig deeper to find out why.

That's about spotting the red flags early on.

Exactly.

Now remember those control activities we mentioned earlier.

The book uses a handy acronym to remember the key categories.

Scello LP.

Scello P.

Okay.

I like it.

Tell us more.

So the S stands for smart hiring practices and separation of duties.

This starts with finding the right people.

Thorough background checks, I'm guessing.

Absolutely.

But it's also about training, supervision, and making sure employees are paid fairly.

Right.

Because if someone feels underpaid, they might be more tempted to steal.

Exactly.

And the separation of duties is crucial.

This means you don't want one person controlling an entire transaction from start to finish.

Why not?

Because it creates too much opportunity for fraud.

You want different people authorizing the transactions, recording them, and handling the assets.

Remember Joe Johnson at Green Valley Coffee?

He had too much control, and that's how we got away with it for so long.

So checks and balances on the people level.

Exactly.

Now even in smaller businesses where it's harder to completely separate duties, the owner needs to be actively involved.

So keeping a close eye on things.

Right.

Approving big payments, reviewing bank reconciliations, that kind of stuff.

Moving on to C, it's comparisons and compliance monitoring.

So comparing what you expect to happen with what actually happens.

Exactly.

Think about bank reconciliations where you compare your records with the bank statement.

That's a classic example.

And budgets, right?

Absolutely.

Budgets for revenues, expenses, cash flow, they're all benchmarks to compare against.

If something's way off, you need to investigate.

And this is where exception reporting comes in again.

Right.

Looking for those unusual patterns.

And don't forget audits.

Internal audits are done by people within the company, while external audits are done by independent CPAs.

So getting a fresh set of eyes on things.

They help ensure the company's following the rules and that the internal controls are working properly.

Okay.

What about A?

A stands for Adequate Records.

It's all about good documentation.

Receipts, invoices, that sort of thing?

Exactly.

Sales invoices, purchase orders, receiving reports, canceled checks, everything needs to be documented, whether it's on paper or electronically.

And pre -numbering those documents is a good practice too.

Why pre -numbering?

It helps make sure all transactions are accounted for.

It makes it harder for someone to slip in a fake transaction or remove one without anyone noticing.

So good record -keeping is essential for effective internal control.

Now L stands for Limited Access.

This is about protecting the company's assets physically.

So cash, inventory,

important documents.

Exactly.

You want to restrict access to authorized personnel only?

And this extends to computer systems too.

Usernames, passwords, all that.

Yep.

And encryption to keep data safe.

It's all about limiting access based on what people need to do their jobs.

No one should have more access than they need.

Makes sense.

Finally, P is for Proper Approvals.

This ensures that every transaction is approved by the right person before it goes through.

So someone's signing off on it.

Right.

Sometimes it's a general approval for routine things, but other times it needs a specific approval from higher -ups, especially for larger or unusual transactions.

Think about giving credit to a new customer or making a big purchase.

Those things should go through multiple layers of approval.

And probably involve getting quotes from different vendors, right?

Exactly.

It's about making sure every decision is carefully considered and aligns with the company's goals.

Right.

So S -scale P, a great way to remember those key control activities.

But we can't talk about internal controls without mentioning technology, can we?

I mean, everything's digital these days.

Absolutely.

Technology has revolutionized the way businesses operate, and it's deeply intertwined with internal control.

In what way?

Well, so much of record -keeping, asset management, and even monitoring is automated now.

Think about those barcode scanners at the checkout or systems that flag unusual transactions.

It definitely streamlines things.

It does.

But relying on technology also brings new risks.

Data breaches, cyber attacks, software glitches, these are all things companies have to worry about now.

So it's a double -edged sword.

It is.

That's why having skilled IT professionals is so important.

They can make sure systems are secure and working correctly, and access control is huge.

You want to prevent unauthorized people from getting into sensitive data or messing with the system.

Regular software updates are critical, too, to patch any vulnerabilities.

Right, because hackers are always trying to find new ways in.

Exactly.

So beyond those process controls and IT security, what about physically safeguarding assets?

The more hands -on stuff, like keeping cash locked up.

Exactly.

These are called safeguard controls, and they include all those physical security measures, fireproof vaults for important documents and cash, burglar alarms, security cameras, and even security guards in some cases.

It makes sense.

And for employees who handle lots of cash, companies often get fidelity bonds.

It's a type of insurance that protects them if an employee steals.

And things like job rotation and mandatory vacations can also deter fraud.

How so?

Well, if someone's doing something shady, it's harder to keep it hidden if they have to switch roles or take time off.

Someone else might notice something's not right.

Right.

It removes that single point of failure.

Exactly.

Now, with e -commerce booming, businesses face a whole new set of security challenges.

What are some internal control considerations specific to online operations?

That's a great point.

E -commerce has its own unique risks.

Think about stolen credit card numbers, malware, phishing scams.

Those are all major concerns.

Remember the case of Carlos Salgado Jr.?

Vaguely.

He was the guy who stole millions of credit card numbers by hacking into systems.

Oh, right.

I remember that.

It's a prime example of the damage hackers can do.

And malware is a constant threat, too.

You have viruses, worms, spyware, ransomware, Trojan horses, all designed to wreak havoc in different ways.

It's scary how sophisticated these things are getting.

It is.

And then you have phishing, where they try to trick people into giving up personal information through fake websites or emails.

It's all about deception.

So what can e -commerce businesses do to protect themselves and their customers?

Encryption is key.

It's like scrambling data so no one can read it without the key.

Like those secret codes you see in movies?

Sort of.

The book uses checksum digits as an example.

It's a way to verify that data hasn't been tampered with.

Interesting.

Firewalls are crucial, too.

They're like digital barriers that prevent unauthorized access to the company's network.

And many companies use multiple layers of firewalls for extra protection.

Like a fortress around their data.

Exactly.

All right.

Let's shift gears and focus specifically on cash.

Since it's so easy to steal and convert, what are some key internal controls for handling cash receipts and payments?

You're absolutely right.

Cash is the most vulnerable asset, so strong controls are crucial.

Whether it's cash coming in or going out, the key is to separate duties and have a clear audit trail.

For over -the -counter sales, like at a grocery store or a retail shop, point -of -sale terminals or POS systems are essential.

Those computerized cash registers.

Exactly.

They record each sale, track the cash in the drawer, and often update inventory at the same time.

Giving customers a receipt is another important control.

And at the end of each shift, someone other than the cashier should reconcile the cash in the drawer with the POS system's records.

Makes sense.

The book uses Whole Foods Market as an example in Exhibit 4 -5.

They have a very streamlined process for cash receipts.

And for restaurants, keeping an eye on inventory, particularly things like wine, can also help spot potential cash discrepancies.

Interesting.

So what about cash that comes in through the mail?

Mailroom procedures are key here.

You want to make sure different people are involved in the process.

Ideally, the mailroom opens the mail, sends checks directly to the treasurer for deposit, and remittance advices, those slips that say who paid and what for, go straight to accounting.

So no one person has control over the whole process.

Exactly.

Accounting then records the receipt and updates the customer's account, and the controller compares the bank deposit slip with the accounting records to make sure everything matches up.

Exhibit 4 -6 shows how this flow works.

Very efficient.

And using electronic funds transfers, or EFTs, is even better.

Because there's no physical cash to handle.

Exactly.

It's more secure and easier to track.

Makes sense.

What about cash going out?

How do companies control their payments?

Using checks or EFTs is the best practice because it provides a paper trail, and every single check or EFT needs authorization from someone with the proper authority.

So no rogue spending.

Exactly.

They need to review supporting documentation before signing off on anything.

What kind of documentation?

Well, imagine Green Valley Coffee ordering supplies from Cisco Foods.

They would have a purchase order created by the department that needs the stuff, a receiving report to confirm the goods arrived, and an invoice from Cisco detailing the amount owed.

Okay.

So three documents.

Right.

The accounting department should match these three documents.

It's called a three -way match before they prepare the payment.

Make sure everything lines up.

Exhibits 4 -7 and 4 -8 show examples of these documents.

And again, separation of duties is crucial here.

The people buying, receiving, preparing the payment, and approving it, they should all be different people.

Right.

To prevent any funny business.

Exactly.

After the payment goes out, the supporting documents should be marked paid so they can't be used again.

And checks should be mailed directly to the vendor by the treasurer, not sent back to accounting.

More separation of duties.

You got it.

Now, what about those small everyday expenses that you can't really pay by check?

Like buying office supplies or grabbing lunch for a meeting.

Right.

For those things, companies usually use a petty cash fund.

It's a small amount of cash kept on hand for minor expenses.

So they don't have to write a check for every little thing.

Exactly.

Most companies use an Impress system.

This means the fund starts with a set amount, and as money is spent, they use vouchers to track each expense.

Like little receipts.

Pretty much.

The cash left in the fund plus the value of the vouchers should always equal that original amount.

When the fund runs low, someone requests a reimbursement and provides all the vouchers to replenish it back to the starting amount.

The book uses Sisto systems as an example.

So it's a way to keep tabs on those small, miscellaneous expenses.

Exactly.

And these days, more companies are moving away from petty cash and using company -issued debit cards instead.

Oh, interesting.

Why's that?

It's easier to track electronically and provides a clearer audit trail.

But even with all these internal controls, are there any limitations?

I mean, can't people still find ways to get around them?

You're right.

No system is perfect.

One big limitation is collusion.

This is when two or more people team up to bypass the controls.

Like a conspiracy.

Exactly.

They work together to cover each other's tracks.

Then there's management override.

So someone higher up abusing their power?

Unfortunately, yes.

They might intentionally disregard the controls for personal gain.

And we can't forget human error.

People get tired, make mistakes, misunderstand things.

It happens.

And finally, there's the cost factor.

Right.

Some security measures can be really expensive.

Exactly.

Sometimes the cost of implementing a super tight control might be more than the potential benefit.

The book gives an example of a Walmart store weighing the cost of hiring a security guard.

So it's about finding a balance between security and practicality.

Exactly.

Now, another crucial process for managing cash is bank reconciliation.

Okay, what is that and why is it so important?

It's all about comparing two records of your cash.

The bank statement and your company's own cash records.

So making sure they match.

Right.

But they almost never match perfectly because of timing differences.

Maybe you deposited a check that hasn't cleared yet or you wrote a check that the recipient hasn't cashed.

Okay.

I can see how that would happen.

The goal of the bank reconciliation is to figure out why those balances are different and make sure your records are accurate.

It's a vital control activity and the person doing it shouldn't be involved in any other

To keep it unbiased.

Exactly.

So how do you do a bank reconciliation?

Well, it usually has two sides.

On the bank side, you start with the ending balance from the bank statement and adjust for things your company has recorded but the bank hasn't yet processed.

Like those checks and deposits we talked about.

Exactly.

Deposits in transit, outstanding checks, and any bank errors.

Then, on the book side, you start with your company's cash balance and adjust for things the bank has recorded but you haven't yet accounted for.

Give us some examples.

Sure.

Bank collections where the bank receives money on your behalf, EFT receipts and payments, interest earned on your account, bank service charges.

You also subtract any NSF checks.

Those are checks that bounced because the customer didn't have enough money in their account.

Okay.

That makes sense.

And you also factor in the cost of printed checks and any mistakes your company might have made in its own records.

So it's about catching those errors on both sides.

Precisely.

Exhibit 412 shows the different categories of reconciling items and gives a real -world example using Green Valley Coffee Company.

Very helpful.

Now, once you've identified all those reconciling items, you need to make journal entries to update your company's cash account for the items on the book side.

Not the bank side.

Nope.

The bank will eventually catch up with those timing differences but the book side needs to be updated to reflect things like interest revenue, service charges, NSF checks, and corrections to your own errors.

Exhibit 412 highlights these items in red and shows the journal entries.

And one more thing.

When a customer's check bounces, it increases your accounts receivable.

Right.

Because they still owe you that money.

Exactly.

And with online banking, reconciling is much easier now.

Because you can see your transactions in real time.

Exactly.

It helps catch things faster.

Okay.

Last question.

When a company prepares its balance sheet, how is cash presented?

Cash is usually a first asset listed because it's the most liquid.

You'll often see a line item called cash and cash equivalents.

Cash equivalents.

What are those?

They're short -term investments that are almost as good as cash.

They're easily convertible to cash and mature in three months or less.

Think money market funds, treasury bills, short -term CDs.

They're so close to cash that they're lumped together.

Got it.

The book has an excerpt from Green Valley Coffee Company's balance sheet.

And many companies also include more details about their cash and cash equivalents in the footnotes to their financial statements.

So full transparency.

Exactly.

To sum up, we've learned that fraud is a major risk.

But a well -designed system of internal control is the best defense.

And ScalLP.

Yes.

ScalLP is a great way to remember those key control activities.

Smart hiring practices and separation of duties,

comparisons and compliance monitoring, adequate records, limited access, and proper approvals.

Perfect.

And bank reconciliations are essential, too.

Right.

Making sure our cash records are squeaky clean.

Exactly.

And remember, these aren't just abstract concepts.

They're real -world tools that companies use every day to protect themselves and build trust.

Precisely.

So as we wrap up this deep dive, I want you to think about this.

We all have a role to play in upholding ethical financial practices.

That's so true.

Whether you're an employee, a manager, or just someone trying to understand how the world works.

What can you do to promote financial integrity?

It's a question worth pondering.

And keep learning.

The more we understand about fraud, the better equipped we are to prevent it.

I agree.

There are so many real -world examples out there, both successes and failures.

We can learn a lot from studying those cases.

Exactly.

Knowledge is power.

Especially when it comes to protecting ourselves and our businesses.

Thanks for listening.

Thanks for having me.