Here we continue our look at the University of Georgia situation where a former employee stole more than $1.3 million from the school's Greek Life Office over ten years. What controls could have prevented the fraud from happening?
Recapping the situation, the former employee was a longtime administrative associate with near-complete control over financial activity without any oversight or independent review. Lack of oversight is common in cases of occupational fraud.1
With effective risk management and control systems, operational management is the first line of defense; employees are "in the trenches" where risk is best addressed on a day-to-day basis.
How is this line of defense accomplished? The use of four basic preventive controls goes far.
Preventive Controls
Preventive controls are designed to proactively counter errors, fraud, or other unintended consequences before they happen. These four are essential in daily operations.
- Security - Take steps to safeguard assets, data, or other essential items.
- Approval - Consent to officially or formally; sanction.
- Authorization - Granting authority or power to act or approve.
- Segregation of duties - Separate some aspects of a transaction from the rest so that one person does not fully control a transaction from beginning to end.
What if the department had:
- Account statements delivered to the director or assistant director (security)
- Not permitted debit card transactions nor ATM withdrawals (security)
- Used a university safekeeping account instead of an outside bank account (security)
- Signatory authority for the account resting only with the director (approval) and/or assistant director (authorization)
- Requisition or check preparation followed by review and approval done by two different persons (segregation of duties)
- Required a receipt or an invoice that makes clear what was purchased and its business purpose (security)
Should preventive controls fall short in preventing an error or identifying (help us notice) a problem, detective controls serve as a backstop. We'll review four fundamental detective controls next time.
Excerpts from the Atlanta Journal-Constitution of the situation above.
1 This example of occupational fraud can be further categorized as an asset misappropriation scheme. Fraudulent disbursements are mischaracterized, overstated, or fictitious.
by Rob Walker was the inspiration for this post.