The Association of Certified Fraud Examiners (ACFE) Report to the Nations on Occupational Fraud and Abuse consistently demonstrates that the “smallest organizations…suffered the largest median losses” by someone that the owner or key leaders trusted. To increase the awareness of risk of fraud in my small, closely-held business clients, I’ve begun talking to them about the common risks, like mistakes or theft by employees.
My client business owners stay busy running their companies, worrying about things like ensuring they have enough cash to pay their bills and working to make a better profit than last year. They often do not consider the idea of fraud or think they are at risk. They typically do not realize that by relying on just one or two people to handle their financial matters, they are lacking sufficient controls and they are very vulnerable to fraud. In an agreed upon procedures engagement, we can help business owners identify these areas of vulnerability by agreeing on procedures to be performed in certain areas and then reporting our findings on the agreed upon subject matter.
Small, closely held businesses don’t usually need an audit, which include evaluations of internal controls and might identify potential fraud, so we take a more proactive approach with our clients. We sit down with the owners of existing clients and review some of the statistics and information from the ACFE report to find areas where they may be most concerned or vulnerable. Owners usually say that they want to be assured that the money that is supposed to be going in the bank or that money approved to pay expenditures is being used as intended. While this conversation in itself is incredibly valuable for clients it can also open the door for new service engagements to help an owner identify potential areas of risk in their organization and make recommendations about potential changes to make or procedures to implement. It’s very possible, for example, to take a typical $5,000 tax client and have it progress to a $15,000 agreed upon procedures and tax client!
Our agreed upon procedures engagements are structured based on the client’s need, potential for risk and price sensitivity. We may meet with a client on a quarterly or monthly basis and review their internal controls in selected areas, test them and then report on what we found. For example, if this month we are reviewing payroll, we may review ten payroll transactions and determine if they were paid appropriately or identify instances of overpayment. People often think payroll is not a common area for fraud, but we have a real life example where a client hired a new person to manage their payroll and that new person set themselves up to be paid weekly instead of the bi-weekly rotation for all other staff members, essentially double-paying themselves.
Part of our process includes letting our clients’ employees know that their company is increasing its scrutiny to help protect the organization, owners and employees, too. We recently identified a client situation where the executive director and several employees were using the same login and password for their electronic banking. We pointed out to the board and management that if a fraudulent situation did arise, all the employees would be suspected, but if they each had their own secure login and password, the fraudulent activity would be easier to track back to one individual. Further, it would make it clear that other employees did not commit the fraud.
We like agreed upon procedures engagements in our firm because they lend themselves to standardization so we can apply tools and approaches across our client base and we can schedule this type of work during slower periods of the year. We have implemented an Excel spreadsheet template that we use to track the months across the columns and transaction types and their associated internal controls as rows so we can then identify in each of the cells which areas we are going to review each month or quarter. We also use that spreadsheet to help scope the engagement. We are very specific in defining the deliverables the client can expect by providing a letter with sections that summarize what we looked at, what we found, our inquiry into their processes and any suggested improvements or recommendations we have. We carry these recommendations going forward, too, and remove them in subsequent letters when they are addressed.
If practitioners would like to begin discussing the risks of fraud with their clients and providing agreed upon procedures engagements, I suggest identifying two or three long-term clients to introduce the service initially. The ideal client profile is around a $2 to $5 million organization – large enough that they’re profitable and can afford the service, but not so large that they have an accounting department. The owner likely has a bookkeeper or office manager that they rely on to handle the organization’s financial matters with little oversight or checks and balances in place. Medical practices are a really good example because they typically operate in this manner.
The AICPA has many Agreed Upon Procedures tools available to help you plan your engagement. To learn more about fraud and the impact to your small and medium sized clients, check out the many AICPA resources available, including:
- Common Fraud: A Guide to Thwarting the Top Ten Schemes, available in the AICPA Store
- FLS Fraud Taskforce Quick Reference Guide: Top Misappropriation Schemes, available to Forensic and Valuation Services Section Members or Certified in Financial Forensics or Accredited in Business Valuation credential holders
Exploring how you can help clients reduce the opportunity for fraud by implementing the appropriate controls is something different to talk to your clients about and is tremendously valuable. Remind clients that you always have their back!
F. Carter Heim, CPA, CFF, CGMA, is President of HeimLantz, CPAs and Advisors, a medium size four-partner, twenty eight person firm, in Annapolis, MD and Alexandria, VA. For more information about HeimLantz, visit www.heimlantz.com.