Improving Your Internal Controls to Protect the Firm's (and Your Clients') Money

Managing partners of law firms should ensure that there is an appropriate structure of internal controls in place at their firms to protect their firms and clients against fraud. With the economy in a recession, cases of employee fraud are on the rise, and in many instances better controls and more oversight are needed.

Smaller law firms often have more reason to worry, as they may not have enough people in their accounting departments to adopt sufficient segregation of duties. This, combined with inadequate screening of new hires, less management time for oversight, and blind trust for long-term, valued employees, increases a firm's vulnerability to employee theft.

How strong are the internal controls at your firm? By reviewing and improving some simple control procedures, managing partners can significantly reduce the risk of internal fraud.

Controls over Cash Receipts and Disbursements

In nine out of 10 cases of fraud, the asset that is stolen is cash. Thieves exploit loopholes and lack of owner oversight to steal money, often over long periods of time. There are reports of bookkeepers who have stolen millions of dollars from employers over a five- or even a 10-year period, but they keep the amounts small enough on a weekly basis that they escape detection. In some cases, collusion of two or more people will circumvent any segregation controls in place.

Simple internal controls over cash receipts and disbursements can be put in place to ensure that these loopholes are blocked.

Who Opens the Bank Statements?

A managing partner should have the bank statements (for every cash account in the firm's name) mailed directly to him or her, and the partner should be the one to open the statements. Review the statement itself for unusual transactions and trends, such as large wire transfers you do not recognize and smaller than usual daily deposits. Flip through the cancelled checks (or the page of scanned copies) and look for vendors you do not recognize, checks to employees, or checks over a certain dollar amount. Cases of fraud can occur when an employee cuts a check to a phony vendor and then removes that cancelled check from the bank statement package before it goes to the managing partner. Gain access to scan activity online. The chance that you might review an unopened bank statement or scan daily activity online may be enough to reduce the likelihood of employee fraud.

Who Performs the Monthly Bank Reconciliation?

When duties are appropriately segregated, the same employee responsible for authorizing transactions or recording items in the general ledger does not perform the bank reconciliation. Smaller firms without the head count to segregate duties may have someone from outside the accounting department perform the bank reconciliation ' some firms employ a part-time bookkeeper to come in and do the bank reconciliations. Remember that in addition to the firm's operating account and payroll accounts, IOLTA and other client trust accounts must be reconciled on a monthly basis.

Do You Review the Bank Reconciliations?

Managing partners should review the reconciliations every month. They should ensure that the “balance per bank” ties to the balance on the bank statement, the reconciled balance ties to the general ledger, and then review the list of outstanding checks. In some cases there will be outstanding deposits. If they are not the last day's deposits, then these amounts should be investigated because they may be indicative of misappropriation.

Who Is Authorized to Sign Checks?

In most cases, managing partners delegate check-signing responsibility because they simply don't have enough time to sign all the checks. However, this delegation may be opening those firms up to possible fraud. A tiered check-writing approach may help in such situations. A firm can set a dollar amount threshold with the bank ' checks over a certain value must be signed by two individuals, one of whom should be a partner or managing partner. The level of this threshold depends on the size of your firm and the average dollar amount of checks processed. However, the managing partner should sign all checks for the controller's expense claims.

Some other policies firms should enforce include: Never use a signature stamp to sign checks. Checks should always bear live signatures of the appropriate partner. Also, never allow the signing partner to pre-sign blank checks ' ensure that another partner is available to provide a second signature in the case of the usual signing partner's absence. Unsigned checks should be kept securely locked away. When signing checks, a partner should first review supporting documentation such as original invoices (not copies) and the appropriate purchase orders or authorizations.

Wire-transfers: Smaller firms often have inadequate controls over the authorization of wire transfers, despite the fact that more and more vendor payments are made using wires. Similar to the check-writing threshold process, all wire transfers over a certain dollar amount should be authorized by the managing partner. Many banks now have procedures in place requiring that before initiating transfers over a certain threshold, they must call a firm's managing partner for an authorization password in order to complete the transaction.

Cash Receipts: Cases of fraud can also occur in the area of cash receipts. This is called “skimming,” a process whereby an employee steals cash receipts before they even make it into the bank account. Thieves will cover their tracks by issuing a credit memo to remove the receivable from the accounting system, or by “kiting,” replacing a stolen check from a client with another client's payment. The thief will then either endorse the check or set up a phony bank account in another state using the firm's name.

Organized fraudsters forge checks ' all they need is someone on the inside who can copy incoming checks. Then the fraudsters produce copies and make them out for small amounts that won't raise suspicions when they are cashed.

One simple way to avoid employee skimming behavior is to ask clients to send money via wire transfer when possible. Alternatively, a firm can set up a lockbox facility with the bank, so checks go directly to the bank rather than to the firm's accounting department. A side benefit of this process is it also cuts down on the number of float days ' you get access to the money sooner. Many banks have deposit scanning available; a firm scans and transmits its receipts to the bank using scanning equipment. This is beneficial because it means that deposits do not leave the premises.

Ideally, the handling of cash receipts should be segregated from the duties of recording these receipts in the general ledger and reconciling the bank account. Smaller firms without enough people to split up these duties can protect themselves with some of the following simple controls around accounts receivable.

All accounts receivable credits should be signed-off by a managing partner. He or she should keep a list of the credits approved, and this list should be cross-referenced with a monthly report from the time and billing system showing credits made to accounts receivable (A/R). Not only does this control help prevent skimming, but it also has an added business benefit of holding partners accountable for any A/R credits.

The managing partner should also review the monthly A/R aging and discuss older A/R balances with the relevant billing partner. Anomalies can be detected by performing this simple review ' for example, a client who pays regularly every month should not have old A/R balances.

Client statements are also an important internal control. If a client has made a payment but it is still showing as unpaid on a statement, the client usually will call the billing partner to correct the bill. The receipt may have been skimmed and never made it into the firm's accounting system, but because of the statement, the anomaly was detected. Managing partners should put a system in place to ensure that client statements are mailed on a monthly basis ' each partner's administrative assistant should take on this responsibility.

Accounts Payable: What Is A 'Fictitious Vendor'?

Many cases of employee fraud involve the setting up of fictitious vendors. There are instances of employees having checks made out to friends, relatives, or shell companies ' all are examples of fictitious vendors ' and even producing fake invoices from these fictitious vendors to support the fraud. In other cases, employees have used company money to make personal utility, car, or credit card payments.

In addition to reviewing documentation when signing checks, managing partners should be reviewing the detailed accounts payable aging for vendors they may not recognize. Obtain a system-generated report on at least a quarterly basis showing the total amounts paid to all vendors year-to-date, compared with the prior year. Look for any vendors that are not familiar, as well as any significant increases, and inquire about any new vendors. If any amounts look suspicious, ask to see all of the invoices associated with that vendor.

More sophisticated accounting systems allow firms to restrict who can set up a new vendor. All systems, however, should generate a report showing new vendors set up each month, and the managing partner should review this report.

The Payroll Function: Your Biggest Area of Exposure

Payroll is the largest expense in your firm, and without adequate controls and oversight it can be your largest area of exposure to fraud. Who approves payroll in your firm?

The bi-weekly or monthly payroll should be reviewed and approved by the managing partner. Make sure the report you are reviewing shows each employee's wages for the period and year-to-date, as well as their deductions. Look for employees you do not recognize, or unapproved raises. Check to determine that employees who have left the firm are not still receiving a paycheck ' there have been cases of fraud in which a payroll clerk has simply changed the direct deposit information for an employee who has left to his or her own or a relative's bank account.

Most payroll companies run reports monthly, or at least quarterly, showing changes to payroll standing data. These reports will show new hires, departures, and changes to pay rates. Compare this with lists of new employees and recent raises produced by the human resources administrator.

A monthly reconciliation of gross payroll to the wages and salaries lines on the firm's income statement should be completed, and the managing partner should review this reconciliation. Ask to see the gross payroll report that ties into the reconciliation, and inquire about any significant reconciling items. This can detect mis-posting of payroll to incorrect accounts on the general ledger, either accidentally or to cover up misappropriation.

Does the firm use an imprest system for remitting payroll taxes and 401(k) deferrals? This will ensure that monies are remitted properly and that this occurs in a timely fashion. Make sure that the managing partner or another designated partner oversees any changes to the firm's pension plan.

How much do the controller and other accounting employees earn? Double-check their W2s at the end of the year to ensure consistency with expectations.

Employee expense claims are an area that can be prone not just to fraudulent activity, but also to abuse or misunderstanding of expense reimbursement rules. Ensure that expense reimbursement policies are clearly communicated to all new hires and reviewed with employees on a regular basis. Managing partners should randomly spot-check some employee expense claims for review monthly, and should always sign off on the controller's expense claims.

When interviewing new accounting staff, ask if you can run a background credit check on them. With existing staff, look for lifestyle changes, as they may be indicative of a problem. For example: an employee who earns $35,000 a year who shows up with a new Lexus, or an employee with a drug or alcohol problem who may need to supplement his or her income. Management must be respectful of employee privacy and act within the law, but it may be prudent to increase oversight or controls if you have suspicions.

The Oversight Function: The Importance of the Monthly Financials

Review of monthly financial statements is a critical part of the firm's internal controls system, as well as enabling the managing partner to track the firm's profitability and ensure that targets are being met. Controllers should be able to produce monthly financial statements in a timely manner, at the latest by the eighth or ninth day of the next month.

Does your firm have a budget? A budget should be developed before the start of each new year, and monthly and year-to-date results should be compared with budget, with significant variances investigated.

Monthly balance sheets should be compared with the prior year. Monthly and year-to-date income statements should be compared with budget, and with prior year, with variances calculated. Wages and salary line items should be supported and explained by head count information, such as the number of full-time equivalents for each category in the budget and year-on-year.

Review monthly financial statements with the controller and look for significant fluctuations, trends, and deviation from expectations. Ask questions and obtain detail of any areas of concern. For example, if you know that health insurance premiums have increased 5%, and head count is flat, health insurance expense which has increased 10% year-on-year would be something unusual to investigate. Significant increases of office supplies or large unclassified miscellaneous expenses could also be cause for concern.

A monthly review of the firm's results can also help the managing partner formulate a projection of how the year will end up, which enables him or her to make timely decisions addressing areas of concern and manage expectations with the other partners.

Sometimes it may be helpful to review monthly numbers with the firm's outside CPA, as he or she may notice unusual trends and fluctuations.

Outside Service Providers

As well as having adequate internal controls in place to protect the firm from fraud perpetrated by insiders, the firm should address the risk of fraudulent activity associated with outside service providers. The managing partner should ensure that he or she is involved in the selection of and communication with outside service providers, in conjunction with the relevant administrator within the firm.

Outside service providers might include your payroll company, outsourced IT services such as technical support and co-location facilities, and benefits providers such as 401(k) administrators and pension fund managers.

Ask outside service providers for a copy of their annual SAS70 report. This report provides information about and a measure of comfort regarding the service provider's internal and IT controls. Contact your CPA for help understanding the SAS70 reports, if necessary.

When selecting an outside service provider, choose a company that is large enough and has adequate bonding and insurance, so you
are not putting the firm's assets or information at risk. There have been cases of small payroll companies going out of business and the clients being held responsible for unpaid payroll taxes. Recent, high-profile investment
scandals underline the need for appropriate scrutiny in the choice of investment advisers and pension fund managers, and regular review of their reporting and performance.

Conclusion

Addressing these internal control modifications with the firm's financial controller should be handled carefully. You want to avoid coming across as questioning the integrity of a trusted employee. However, an honest individual should have no problem with the greater transparency and oversight changes discussed in this article. It is also important to put a structure in place to aid a smooth transition in case the controller leaves the firm. It is the partners' money (and clients' money) at stake, and the managing partner is under an obligation to protect his or her firm against fraud.

Neil F. Scullion, CPA, is a director in the Law Firm Services Group at Feeley & Driscoll, P.C. (http://www.fdcpa.com/). The Law Firm Services Group provides tax, accounting, business advisory, and consulting services to law firms. Based in Boston, Scullion can be reached at [email protected] or by phone at 617-456-2475.

Managing partners of law firms should ensure that there is an appropriate structure of internal controls in place at their firms to protect their firms and clients against fraud. With the economy in a recession, cases of employee fraud are on the rise, and in many instances better controls and more oversight are needed.

Smaller law firms often have more reason to worry, as they may not have enough people in their accounting departments to adopt sufficient segregation of duties. This, combined with inadequate screening of new hires, less management time for oversight, and blind trust for long-term, valued employees, increases a firm's vulnerability to employee theft.

How strong are the internal controls at your firm? By reviewing and improving some simple control procedures, managing partners can significantly reduce the risk of internal fraud.

Controls over Cash Receipts and Disbursements

In nine out of 10 cases of fraud, the asset that is stolen is cash. Thieves exploit loopholes and lack of owner oversight to steal money, often over long periods of time. There are reports of bookkeepers who have stolen millions of dollars from employers over a five- or even a 10-year period, but they keep the amounts small enough on a weekly basis that they escape detection. In some cases, collusion of two or more people will circumvent any segregation controls in place.

Simple internal controls over cash receipts and disbursements can be put in place to ensure that these loopholes are blocked.

Who Opens the Bank Statements?

A managing partner should have the bank statements (for every cash account in the firm's name) mailed directly to him or her, and the partner should be the one to open the statements. Review the statement itself for unusual transactions and trends, such as large wire transfers you do not recognize and smaller than usual daily deposits. Flip through the cancelled checks (or the page of scanned copies) and look for vendors you do not recognize, checks to employees, or checks over a certain dollar amount. Cases of fraud can occur when an employee cuts a check to a phony vendor and then removes that cancelled check from the bank statement package before it goes to the managing partner. Gain access to scan activity online. The chance that you might review an unopened bank statement or scan daily activity online may be enough to reduce the likelihood of employee fraud.

Who Performs the Monthly Bank Reconciliation?

When duties are appropriately segregated, the same employee responsible for authorizing transactions or recording items in the general ledger does not perform the bank reconciliation. Smaller firms without the head count to segregate duties may have someone from outside the accounting department perform the bank reconciliation ' some firms employ a part-time bookkeeper to come in and do the bank reconciliations. Remember that in addition to the firm's operating account and payroll accounts, IOLTA and other client trust accounts must be reconciled on a monthly basis.

Do You Review the Bank Reconciliations?

Managing partners should review the reconciliations every month. They should ensure that the “balance per bank” ties to the balance on the bank statement, the reconciled balance ties to the general ledger, and then review the list of outstanding checks. In some cases there will be outstanding deposits. If they are not the last day's deposits, then these amounts should be investigated because they may be indicative of misappropriation.

Who Is Authorized to Sign Checks?

In most cases, managing partners delegate check-signing responsibility because they simply don't have enough time to sign all the checks. However, this delegation may be opening those firms up to possible fraud. A tiered check-writing approach may help in such situations. A firm can set a dollar amount threshold with the bank ' checks over a certain value must be signed by two individuals, one of whom should be a partner or managing partner. The level of this threshold depends on the size of your firm and the average dollar amount of checks processed. However, the managing partner should sign all checks for the controller's expense claims.

Some other policies firms should enforce include: Never use a signature stamp to sign checks. Checks should always bear live signatures of the appropriate partner. Also, never allow the signing partner to pre-sign blank checks ' ensure that another partner is available to provide a second signature in the case of the usual signing partner's absence. Unsigned checks should be kept securely locked away. When signing checks, a partner should first review supporting documentation such as original invoices (not copies) and the appropriate purchase orders or authorizations.

Wire-transfers: Smaller firms often have inadequate controls over the authorization of wire transfers, despite the fact that more and more vendor payments are made using wires. Similar to the check-writing threshold process, all wire transfers over a certain dollar amount should be authorized by the managing partner. Many banks now have procedures in place requiring that before initiating transfers over a certain threshold, they must call a firm's managing partner for an authorization password in order to complete the transaction.

Cash Receipts: Cases of fraud can also occur in the area of cash receipts. This is called “skimming,” a process whereby an employee steals cash receipts before they even make it into the bank account. Thieves will cover their tracks by issuing a credit memo to remove the receivable from the accounting system, or by “kiting,” replacing a stolen check from a client with another client's payment. The thief will then either endorse the check or set up a phony bank account in another state using the firm's name.

Organized fraudsters forge checks ' all they need is someone on the inside who can copy incoming checks. Then the fraudsters produce copies and make them out for small amounts that won't raise suspicions when they are cashed.

One simple way to avoid employee skimming behavior is to ask clients to send money via wire transfer when possible. Alternatively, a firm can set up a lockbox facility with the bank, so checks go directly to the bank rather than to the firm's accounting department. A side benefit of this process is it also cuts down on the number of float days ' you get access to the money sooner. Many banks have deposit scanning available; a firm scans and transmits its receipts to the bank using scanning equipment. This is beneficial because it means that deposits do not leave the premises.

Ideally, the handling of cash receipts should be segregated from the duties of recording these receipts in the general ledger and reconciling the bank account. Smaller firms without enough people to split up these duties can protect themselves with some of the following simple controls around accounts receivable.

All accounts receivable credits should be signed-off by a managing partner. He or she should keep a list of the credits approved, and this list should be cross-referenced with a monthly report from the time and billing system showing credits made to accounts receivable (A/R). Not only does this control help prevent skimming, but it also has an added business benefit of holding partners accountable for any A/R credits.

The managing partner should also review the monthly A/R aging and discuss older A/R balances with the relevant billing partner. Anomalies can be detected by performing this simple review ' for example, a client who pays regularly every month should not have old A/R balances.

Client statements are also an important internal control. If a client has made a payment but it is still showing as unpaid on a statement, the client usually will call the billing partner to correct the bill. The receipt may have been skimmed and never made it into the firm's accounting system, but because of the statement, the anomaly was detected. Managing partners should put a system in place to ensure that client statements are mailed on a monthly basis ' each partner's administrative assistant should take on this responsibility.

Accounts Payable: What Is A 'Fictitious Vendor'?

Many cases of employee fraud involve the setting up of fictitious vendors. There are instances of employees having checks made out to friends, relatives, or shell companies ' all are examples of fictitious vendors ' and even producing fake invoices from these fictitious vendors to support the fraud. In other cases, employees have used company money to make personal utility, car, or credit card payments.

In addition to reviewing documentation when signing checks, managing partners should be reviewing the detailed accounts payable aging for vendors they may not recognize. Obtain a system-generated report on at least a quarterly basis showing the total amounts paid to all vendors year-to-date, compared with the prior year. Look for any vendors that are not familiar, as well as any significant increases, and inquire about any new vendors. If any amounts look suspicious, ask to see all of the invoices associated with that vendor.

More sophisticated accounting systems allow firms to restrict who can set up a new vendor. All systems, however, should generate a report showing new vendors set up each month, and the managing partner should review this report.

The Payroll Function: Your Biggest Area of Exposure

Payroll is the largest expense in your firm, and without adequate controls and oversight it can be your largest area of exposure to fraud. Who approves payroll in your firm?

The bi-weekly or monthly payroll should be reviewed and approved by the managing partner. Make sure the report you are reviewing shows each employee's wages for the period and year-to-date, as well as their deductions. Look for employees you do not recognize, or unapproved raises. Check to determine that employees who have left the firm are not still receiving a paycheck ' there have been cases of fraud in which a payroll clerk has simply changed the direct deposit information for an employee who has left to his or her own or a relative's bank account.

Most payroll companies run reports monthly, or at least quarterly, showing changes to payroll standing data. These reports will show new hires, departures, and changes to pay rates. Compare this with lists of new employees and recent raises produced by the human resources administrator.

A monthly reconciliation of gross payroll to the wages and salaries lines on the firm's income statement should be completed, and the managing partner should review this reconciliation. Ask to see the gross payroll report that ties into the reconciliation, and inquire about any significant reconciling items. This can detect mis-posting of payroll to incorrect accounts on the general ledger, either accidentally or to cover up misappropriation.

Does the firm use an imprest system for remitting payroll taxes and 401(k) deferrals? This will ensure that monies are remitted properly and that this occurs in a timely fashion. Make sure that the managing partner or another designated partner oversees any changes to the firm's pension plan.

How much do the controller and other accounting employees earn? Double-check their W2s at the end of the year to ensure consistency with expectations.

Employee expense claims are an area that can be prone not just to fraudulent activity, but also to abuse or misunderstanding of expense reimbursement rules. Ensure that expense reimbursement policies are clearly communicated to all new hires and reviewed with employees on a regular basis. Managing partners should randomly spot-check some employee expense claims for review monthly, and should always sign off on the controller's expense claims.

When interviewing new accounting staff, ask if you can run a background credit check on them. With existing staff, look for lifestyle changes, as they may be indicative of a problem. For example: an employee who earns $35,000 a year who shows up with a new Lexus, or an employee with a drug or alcohol problem who may need to supplement his or her income. Management must be respectful of employee privacy and act within the law, but it may be prudent to increase oversight or controls if you have suspicions.

The Oversight Function: The Importance of the Monthly Financials

Review of monthly financial statements is a critical part of the firm's internal controls system, as well as enabling the managing partner to track the firm's profitability and ensure that targets are being met. Controllers should be able to produce monthly financial statements in a timely manner, at the latest by the eighth or ninth day of the next month.

Does your firm have a budget? A budget should be developed before the start of each new year, and monthly and year-to-date results should be compared with budget, with significant variances investigated.

Monthly balance sheets should be compared with the prior year. Monthly and year-to-date income statements should be compared with budget, and with prior year, with variances calculated. Wages and salary line items should be supported and explained by head count information, such as the number of full-time equivalents for each category in the budget and year-on-year.

Review monthly financial statements with the controller and look for significant fluctuations, trends, and deviation from expectations. Ask questions and obtain detail of any areas of concern. For example, if you know that health insurance premiums have increased 5%, and head count is flat, health insurance expense which has increased 10% year-on-year would be something unusual to investigate. Significant increases of office supplies or large unclassified miscellaneous expenses could also be cause for concern.

A monthly review of the firm's results can also help the managing partner formulate a projection of how the year will end up, which enables him or her to make timely decisions addressing areas of concern and manage expectations with the other partners.

Sometimes it may be helpful to review monthly numbers with the firm's outside CPA, as he or she may notice unusual trends and fluctuations.

Outside Service Providers

As well as having adequate internal controls in place to protect the firm from fraud perpetrated by insiders, the firm should address the risk of fraudulent activity associated with outside service providers. The managing partner should ensure that he or she is involved in the selection of and communication with outside service providers, in conjunction with the relevant administrator within the firm.

Outside service providers might include your payroll company, outsourced IT services such as technical support and co-location facilities, and benefits providers such as 401(k) administrators and pension fund managers.

Ask outside service providers for a copy of their annual SAS70 report. This report provides information about and a measure of comfort regarding the service provider's internal and IT controls. Contact your CPA for help understanding the SAS70 reports, if necessary.

When selecting an outside service provider, choose a company that is large enough and has adequate bonding and insurance, so you
are not putting the firm's assets or information at risk. There have been cases of small payroll companies going out of business and the clients being held responsible for unpaid payroll taxes. Recent, high-profile investment
scandals underline the need for appropriate scrutiny in the choice of investment advisers and pension fund managers, and regular review of their reporting and performance.

Conclusion

Addressing these internal control modifications with the firm's financial controller should be handled carefully. You want to avoid coming across as questioning the integrity of a trusted employee. However, an honest individual should have no problem with the greater transparency and oversight changes discussed in this article. It is also important to put a structure in place to aid a smooth transition in case the controller leaves the firm. It is the partners' money (and clients' money) at stake, and the managing partner is under an obligation to protect his or her firm against fraud.

Neil F. Scullion, CPA, is a director in the Law Firm Services Group at Feeley & Driscoll, P.C. (http://www.fdcpa.com/). The Law Firm Services Group provides tax, accounting, business advisory, and consulting services to law firms. Based in Boston, Scullion can be reached at [email protected] or by phone at 617-456-2475.