Summary of Issue:
Sometimes the system of internal controls is so bad or non-existent that fraud cannot be proven, or the loss quantified. We were recently retained to do a fraud examination for an off-site division of a very large business. Corporate management was new, and they had begun the work of reshaping operations and clearing out problems within all the divisions of the company. Management described several indications that there were serious problems within this particular division and they did not want to use the outside audit firm to examine those concerns. They alleged that company policies and procedures were not being followed, that company assets were being misappropriated, and there was an unusual and detrimental relationship with a significant vendor. This is a very common scenario and we followed the usual protocol.
The first phase of the engagement was to get documents and figure out a scope and sequence of work, the time period to be examined, and the form of reporting to our client. As is typical, we saw quickly that management had very good reason for concern, and the direction and method of the examination was quickly determined.
Problems and hindrances developed once we started the second phase of the work. First, this division of the company had long ago isolated itself from the rest of the company. It had become a self-contained silo within the larger company. Management had adopted accounting and process software different from the rest of the company. A culture had developed where information was not shared with the rest of the company and employees had a fierce loyalty to division management and each other. It turned out some or most of that loyalty was driven by fear of the division president. The ability to conduct a review without raising undue notice or alarms was virtually impossible. None of the staff was made available for interviews to determine policies and procedures within the division.
It was also apparent that the culture had existed so long that the centralized systems designed to maintain and monitor internal controls within the division had long ago been intimidated so completely that the division was avoided and ignored. Auditors avoided the division president and his team. Essentially, there was no audit of the division and it was probably justified as being immaterial. Internal audit and the accounting staff of the company simply avoided contact with the division because it was so unpleasant and non-productive. Requests for information were ignored or delayed to such an extent that people gave up. We saw this first-hand in the course of our work.
The result was a completely different set of accounting policies and procedures in the division than existed in the rest of the company. We never could determine what those were and/or whether they were being followed. Evidence was developed supporting the suspicion that assets were being misappropriated, there likely was a kickback scheme with a significant vendor, and that the company’s policies and procedures had been ignored, modified, and overridden. However, because of the communication lockdown within the division and the lack of data we could not “prove” it.
Not all of our engagements culminate with a complete and final solution; some end as a series of recommendations for the next phase of assessment and problem resolution. In this case, if there were crimes committed it was likely one, or a few, individuals were involved. Internal controls and a fraud examination can identify those individuals and exonerate others. We left that engagement having issued a long list of observations about the lack of controls and reasonable business practices along with recommendations for fixing the situation. Unfortunately, we also left the company having not completed the process of identifying the responsible people or quantifying the loss in a definitive way, due to the lack of controls and documentation. Consequently, we were forced to leave behind a dark cloud over a large group of people – some of whom would have been well served by a solid and functional system of internal controls.