Here we complete our examination of the University of Georgia situation where a former employee stole more than $1.3 million from its Greek Life Office over ten years. What could have helped someone notice the theft early on?
Recapping the situation, the former employee was a longtime administrative associate who had near-complete control over financial activity without any oversight or independent review.
With effective risk management and control systems, operational management is the first line of defense; employees "in the trenches" where risk is best addressed on a day-to-day basis.
How is this line of defense accomplished? The use of four fundamental detective controls backstops our preventive controls.
Detective Controls
Detective controls are designed to alert us to errors, fraud, or other unintended consequences after they've happened so we can act. These four are essential in daily operations.
- Review - Examine for the purpose of evaluation.
- Verification - Determine or test accuracy by comparison, investigation, or reference.
- Reconciliation - Establish a close relationship or resolve differences.
- Variance analysis - Examine and understand the difference between expected or desired results and what occurred.
What if the department head designated a person to:
- Prepare periodic progress reports summarizing departmental accomplishments and financial results (review)
- Confirm critical parts of the information to source documents (verification)
- Verify that all reported financial results corresponded to accounting records (reconciliation)
- Compare revenues and expenditures to prior year results and current year expectations (variance analysis)
To address segregation of duties, the use and emphasis of different preventive and detective controls can be adjusted to fit the number of people involved in departmental processes.
Detective Controls Are No Joke
Musician Steve Miller is probably best known for his 1973 No. 1 hit single, "The Joker." The Washington Post recently profiled Miller1 on the advent of his new box set. From my auditor perspective, two quotes jumped out as great examples of detective controls in practice:
"Miller has never shied away from conflict. In the 鈥60s, when any kid with a guitar would have killed for a record deal, Miller studied the fine print and resisted until the terms changed." (review)
"And when Miller shared the results of his latest audit 鈥 yes, he still conducts them 鈥 Resnikoff didn鈥檛 argue. He had Universal write a check for the $600,000 Miller said he was owed in royalties." (review, verification, reconciliation, and variance analysis)
An auditor will typically use all four detective controls to varying degrees as needed. But as Miller aptly demonstrates, detective controls are also an essential part of one's standard operating procedures.
1
This post was inspired by by Rob Walker.
The book's key theme is to practice paying attention because it's important to notice what others have overlooked or ignored.