CHAPTER 1: INTERNAL CONTROLS
Misappropriation/Embezzlement: This can happen in two different scenarios—skimming and cash larceny. Skimming occurs when cash is stolen from a corporation prior to its entry into the accounting system. According to ACFE, nearly 1 in 5 of all asset misappropriation cases involved skimming. By contrast, cash larceny is theft that takes place after the revenue has been recorded in the company’s books. Case studies by the ACFE show 1 in 10 frauds was a result of cash larceny. Here is an example of skimming: A controller for a beverage company had become disillusioned with his job and his employer. Cash from customer payments, direct sales to customers, and vending machine collections all came to his desk—and he was the last person to see the money before it was deposited in the bank. One day, a deposit came in with $1,000 more in cash than indicated on the deposit slip. Rather than correct the error, the controller instead pocketed $1,000 from the deposit and submitted it as is. Noting how simple it had been to take the $1,000, the controller then began a process of skimming money off incoming route deposits. Using blank deposit forms, the controller would remove cash from an incoming deposit and simply write a new deposit form using a lower amount. This continued for two years and resulted in the theft of $475,000. The scheme was only uncovered after the controller was fired for poor conduct, which included missing work and filing late financial statements and tax returns. A CPA, brought in temporarily to help the company in the interim, immediately identified discrepancies between the cost of sales and inventory, and the controller was arrested shortly thereafter. Segregation of duties and audits could have prevented this fraud. IDENTITY THEFT The AR process requires that a significant amount of data be collected from customers. There are both internal and external challenges to be met in terms of protecting personal and business data, and these challenges call for effective management and controls. Access to Personally Identifiable Information (PII) should be limited to those who need it—and be carefully controlled. Controls must be in place to protect the data. for instance, if your system stores customers’ bank data or credit card information, it must be protected from possible fraudulent misuse both internally and externally. With the introduction of new global PCI Compliance regulations, known as PCI DSS (Payment Card Industry Data Security Standard), many companies no longer store credit card information— customers must provide credit card information when each order is taken. By simply blocking all but the last digits, this can serve as a stronger protection feature. If the thief can’t steal the information because it is guarded with the highest priority, you prevent identity theft.
24
THE ACCOUNTS RECEIVABLE SPECIALIST CERTIFICATION PROGRAM E-TEXTBOOK
Made with FlippingBook - Online catalogs