Category Archives: Risk Management

Be Persistent and Follow Up

Persistence is crucial in many walks of life. Whether you are in sales, operations, accounting, or other business specialties, you learn the value and importance of following up. Your mode of operation has to be: Relentlessly pursue open issues until you reach a resolution.

In the area of sales, I once had a mentor advise me to come up with ways, in dealing with potential customers, to “force the go or no-go decision.” Get the prospect to commit rather than stringing you out perpetually.

In my day-to-day work as an accountant I find myself devoting large amounts of time to analyzing, in various contexts, what information is missing that should be included or what information is included that should be omitted. For example, customers do not need to know our cost information, so I must make sure to omit such information when I send documents such as invoices to the customers. (In other words, I want to send invoices with the price our customer expects to pay us rather than with the cost that we pay to our vendor, which we hope is significantly less. The way information and documents come through an accounting system, it can be all too easy for an inattentive accountant to make painful mistakes like sending cost information to end customers — thus, double-checking details is crucial).

On the other hand, customers can have exacting requirements regarding the type of information that must be included on invoices and other documents; omissions can create costly charge backs and make our cash cycle inefficient if the customer delays payment due to incomplete invoices.

Often, in the process of analyzing information and resolving discrepancies, I find myself asking questions of other parties and relying on the information provided by suppliers, coworkers, and others. I make a habit of working issues and pursuing resolution until I hit a dead-end (meaning, a point at which additional info is required and I must reach out to a vendor, customer, coworker, etc.).

Sometimes I have to await responses, so the number of “open” items can pile up dramatically. But rather than letting the “open” items sit until I receive an answer, I must continue to follow up — cordially, professionally, and certainly persistently. If I just assume that the other party will at some point provide the info requested, I might let an issue sit for quite some time and forget to finally reach a resolution. Persistence in this environment requires attention to detail and organization so that I can remember routine follow-up. At the end of the day, resolving the problem is my responsibility, and even though it is tempting to blame someone else, it is not possible to legitimately pass responsibility to another person who did not follow up. This is why I must be relentless to pursue resolution in matters subject to my oversight.

Another area of accounting in which persistence is vital is the accounts receivable function. Often, customers wait to pay until someone simply follows up. The customer might have the money, but either the customer’s system is poorly managed or the customer figures it can conserve cash by paying only those who follow up. Sometimes an email or phone call is all it takes to convert receivables into cash in the bank. This is an easy way to provide quick working capital and reduce the need for borrowing or risking the company’s credit standing by slow paying vendors.

Smart Controls: A Financial Institution Disables Admin Accounts After 30 Days of Inactivity

I once had the experience of working with a financial representative to pay employees’ retirement contributions, along with my employer’s matching funds, into employees’ retirement accounts. The representative informed me that my administrative account would be disabled if I did not log in within the next 30 days. Each time I log in, the 30 day countdown starts over.

The representative explained that his financial institution wants to give employers and their representatives (e.g., financial controllers or CFOs) incentive to deposit employee funds timely. The IRS requires companies to contribute the employees’ retirement funds within 30 days after the month in which the employees would have been eligible to receive the funds in cash. Thus, for example, any employee contributions withheld during August from employees’ paychecks must be deposited into their accounts by September 30th. To comply with regulations, the controller or CFO must log in at least every 30 days and make the deposits, so the financial institution’s policy is a handy reminder.

I also reasoned that financial departments have turnover, and one controller or CFO could replace another and assume the duty of depositing employee and matching employer funds into retirement accounts. Part of the controller/CFO function (in conjunction with IT) is to ensure that access to administrative accounts and information systems for the departing controller or CFO is appropriately disabled (or passwords changed, as the case may be) in a timely manner. However, in organizations with lax controls, sometimes during the transition no one thinks to disable the previous controller or CFO’s access. The financial institution I worked had thought of a solution for one piece of this problem by simply disabling the accounts of departing personnel after no one logs in for 30 days. The accounts are personalized for the employee who logs in and deposits the funds, so if a new controller or CFO takes over the responsibility, that new person would create a distinct account instead of using the account of the departing employee. Unless the departing employee made a habit of logging in, the account would be disabled after 30 days and the company would no longer have a risk that the departing employee could later gain access to sensitive financial information and functions.

Whitepaper: Do I Need a CFO or a Controller?

What are the differences between the roles of the CFO and Controller? How does an organization determine whether to utilize the functions of a Controller or CFO (or both)? A white paper by The Brenner Group provides this summary: “The CFO and the Controller play very important, yet different roles within growing companies. The CFO typically serves as a strategic partner for the CEO and the Controller is more focused on day-to-day tactical accounting matters.”

The white paper gives the following descriptions for the role of the Controller:

  • Implement and/or create fundamental accounting policies and procedures
  • Manage day-to-day accounting and cash flow maintenance (including payroll processing, accounts receivable and collections, and accounts payable distributions)
  • Implement accounting software and establish chart of accounts
  • Update financial models and analyze budget to actual activity
  • Prepare financial management reports in a timely manner for use by the management team and the Board to run the business
  • Handle basic Human Resource tasks such as maintaining employee files, generating offer letters, researching benefit questions, processing 401K activities, etc.
  • Help recruit, build and manage the accounting and finance department
  • Manage annual audit preparation and process
  • Act as the historian with respect to accounting matters

On the other hand, the CFO’s role is distinct from that of the Controller:

  • Be intimately involved with the CEO and Board on strategic planning matters, effectively serving as the “right hand” to the CEO
  • Assure adequate capital or growth by assisting with financings, including preparation and presentation for Angel or Venture Investors
  • Manage cash flow and provide timely communications regarding the future cash projections and needs
  • Function as the “Vice President of all other”—i.e. any function not directly involved in designing, manufacturing, selling or supporting the product
  • Direct or implement accounting systems, policies and procedures
  • Facilitate the development of annual strategic operating plans
  • Create and implement forecasting tools to measure the business
  • Administer stock option issuance and tracking
  • Manage the human resources function, including obtaining and administering employee benefits
  • In cooperation with the CEO and the Board, locate and negotiate facilities and fixed asset acquisitions
  • Initiate and retain outside relationships with independent accounting, tax and legal advisors
  • Work with the sales department to establish pricing policies
  • Hire and staff the finance and accounting department
  • Oversee risk management, including adequate insurance coverage

Read the complete whitepaper: Do I Need a CFO or a Controller?

Senior Management Sets the “Tone at the Top”

As a generalization, our culture tends to respect individualism and prioritize the valuable contributions that each person can make to an organization or society. This “democratic” view of culture, for all its merits, must be balanced with an insight formulated by the audit profession: Tone at the Top.

Tone at the top, in the context of establishing an effective control environment within a business, is best explained by COSO, an organization founded by several professional finance and accounting organizations to provide thought leadership on risk management, internal controls, and fraud prevention. COSO’s Internal Control — Integrated Framework Executive Summary states:

The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control including expected standards of conduct. Management reinforces expectations at the various levels of the organization. The control environment comprises the integrity and ethical values of the organization; the parameters enabling the board of directors to carry out its governance oversight responsibilities; the organizational structure and assignment of authority and responsibility; the process for attracting, developing, and retaining competent individuals; and the rigor around performance measures, incentives, and rewards to drive accountability for performance. The resulting control environment has a pervasive impact on the overall system of internal control (emphasis added).

The best example I saw of “tone at the top” was at a business in which the owners had invested significant effort toward intentionally creating a culture of integrity and value creation. This “tone at the top” was not imposed upon the enterprise and its subsidiaries. Rather, the culture of the organization reflected the vision, values, and ethics that senior management believed and practiced. These leaders understood “tone at the top” and effectively took the lead to guide their organization to success in the marketplace.

What steps did this organization take? There were many facets of the tone at the top and how it was manifested throughout the organization down to the lowest level, but here are just a few that come to mind:

  • A clear vision and mission statement, which defined the organization for its customers, employees, partners, investors, and other stakeholders
  • A principles-based approach toward leadership within the organization
  • A minimalist approach toward detailed rules
  • An emphasis on hiring people who would “fit” well into the organization’s culture based on character and skill
  • Leadership by clarity of articulation and example by senior management

This deliberate approach to “tone at the top” creates an effective control environment, as compared to a disjointed or even nonexistent plan for establishing organizational culture. Whether senior management acknowledges or ignores the concept of “tone at the top,” the reality is inescapable. Employees hear what senior managers say and, more importantly, see what senior managers do. The example senior managers set, both by formal policies and procedures as well as by daily conduct, sets a tone — whether positive or negative.

Although each individual can play a valuable role within an organization, senior management first and foremost must take its responsibility seriously to nurture a culture of integrity, discipline, and effectiveness. Done properly, the established “tone at the top” can propel an organization on a trajectory toward achieving its goals and objectives.

How Can You Prevent Fraud in Your Business?

Soldiers have their battle stories. Athletes recount memories of their on-field exploits. Actors make a living out of drama. So what type of exciting professional adventures would you expect from an accountant? No, we’re not talking about paper cuts, out of control copy machines, or circular references in Excel files. The most exciting shop talk within accounting circles invariably involves uncovering a massive fraud in one of our client’s companies. Off the top of my head, here are some of the most infamous examples I have heard from my fellow accountants:

  • When I was in one of my first accounting classes my teacher told a story of a bartender whom she discovered was pocketing money from the bar sales and covering the inventory discrepancy with his own booze brought in from the outside (he was pocketing a nice margin along the way).
  • When I was an auditor my boss told me a story about his discovery that a credit union employee falsified records in a failed attempt to cover up theft of the institution’s funds.
  • I became familiar with a situation in which an elderly professional client of our accounting firm had a long-time, trusted employee use her employer’s funds to pay her mortgage, provide gifts for her family members, pay her debts, and more. As you might have guessed, our client had not taken upon himself to review the banking information for his business.
  • A finance executive friend shared about an employee within his company that he had to fire and evict from a company-owned rental unit because she was stealing funds from the business.
  • A forensic accountant at a recent seminar shared her story of discovering a fraudulent CFO’s misdeeds not once, not twice, but three times. When her client (the business owner) refused each time to do anything significant about this problem, she fired her client and discovered not long thereafter that the business had gone under.
  • Another story I heard (one of my favorites) involved an inept management team that provided free and open access to all employees to every module within the information system. When the auditors arrived to do their standard year-end work, one of the employees became very inquisitive and showed signs of nervousness. Although they would not have otherwise been inclined to investigate her specifically or to look at detailed payroll data, the auditors decided to take a look at her payroll transactions and discovered that she was getting paid far more than other production workers in the business. As it turned out, before each payroll was run, she took it upon herself to increase her pay rate by $5 per hour. After the payroll run, she would decrease the rate back to normal so that hopefully no one would notice.

Fraud often resembles lightning: It strikes you suddenly, when you are least expecting it, and often when you are comfortable. Experienced risk managers understand that fraudsters don’t fit the popular media stereotype of slimy connivers. Rather, they are often regular people, even trusted long-time employees.

The key to preventing fraud is situational awareness. Know the yellow and red flags such as a rapid and unusual increase in an employee’s living standards, an employee who unnecessarily works long or odd hours and refuses to take vacations (for fear that another person covering the role for a few days could discover the misdeeds), or an employee who noticeably faces financial pressures. Also, be aware of the “fraud triangle”:

  • Pressure – an employee or someone else with access to company resources might have a personal financial pressure in life such as uninsured medical bills, a gambling habit, credit card debt, or a divorce. Many savvy employers check credit history for potential new hires to initially screen out employees who might bring unwanted personal pressures into the workplace environment.
  • Opportunity – the employee sees a weakness in the company’s systems, whether an open door in a secluded part of the warehouse, an unsecured cash drawer, or in the case of many large frauds, a material internal control weakness that enables an employee to misappropriate funds without getting caught.
  • Rationalization – most people understand it is wrong and risky to steal, but if they feel the need and see the opportunity, they can often come up with ways to justify it in their minds. Some employees, especially in times of tight corporate budgets during economic uncertainty, may feel overworked, underpaid, and under-appreciated. Perceptions about unfair treatment and office politics, regardless of whether these notions are justified or mere fabrications in the employee’s mind, can breed resentment and a desire for revenge.

A successful fraud involves all three elements to one degree or another. An employee without some type of pressure to defraud her company — even if she sees an opportunity and might be able to perversely rationalize it in her mind — will probably back off when she considers the potential consequences if she got caught. Likewise, without an opportunity or a way to rationalize a fraud, an employee will probably think better of it.

Business owners can exert the most direct influence over the second point, opportunity. One of my accounting teachers recounted when he tried to suggest sound financial controls for his church finance committee. His pastor did not take kindly to this, assuming that he was “accusing the brethren” within the leadership. However, as my teacher pointed out, there is nothing to be lost from implementing measures to keep honest people honest.

Internal controls are aimed at preventing, detecting, and correcting fraud, whether misappropriation of assets or fraudulent financial reporting. Furthermore, beyond safeguarding physical and intangible assets, controls also should be designed to ensure operational effectiveness. (More on this in future installments.)

The primary preventative internal control is segregation of duties. Specifically, companies are well advised to separate these functions among employees:

  • Custody of assets, e.g., inventory and cash
  • Authorization of expenditures or disbursements, e.g., cash payments or inventory shipments
  • Recording of transactions, e.g., entering payments or inventory transactions into the system
  • Reconciliation, e.g., the monthly bank statement reconciliation or the periodic inventory count and reconciliation to inventory records in the accounting system

For example, ideally the same person should not have access to company funds (e.g., to be a signer on the bank account), the ability to authorize spending those funds, the authority to record the transaction, and the responsibility to reconcile the bank statement at the end of the month. Some or all of these duties should be segregated among several employees so that any fraud would require collusion. Even if one employee had the pressure and rationalization to commit fraud, in an environment with segregation of duties, he would have to take the risk of recruiting another employee to cover for him.

The warehouse manager who has physical access to inventory should not have the ability to make inventory adjustments in the accounting system, as this segregation between custody and recording prevents the manager from stealing product and recording adjustments to make the system data match the physical inventory. Rather, inventory shrinkage should show up on reports monitored by inventory accountants who do not have access and authorization to remove product from the warehouse; by segregating these duties, discrepancies should be detected, monitored, and accounted for by the appropriate authorities.

A final word for business owners and CEOs: Especially in this era of automated and integrated accounting systems that allow a small finance staff to handle high transaction volume, many companies do not have adequate staff to properly segregate all duties among finance staff. This means that the business owner or CEO should be involved and situationally aware of risks. Although hiring trustworthy staff members who can be relied upon is one essential component, if there are limited numbers of staff in the finance group (i.e., one or two people), the owner needs to take some time to monitor the activities of this important department. At the very least, take time to check the bank statement each month, look at reconciliations for asset accounts such as inventory, and consider engaging an outside professional for a year-end audit. (As a bonus, an experienced auditor with industry expertise can provide input on enhancing operational and financial effectiveness.) However, do be aware of the limitations of assurance that auditors provide regarding detecting fraud (this is spelled out clearly in auditor engagement letters). If you have a suspicion that fraud might be taking place, consider engaging a fraud examiner or forensic accountant to investigate.

Categories for My Website

This is my CFO Career Development Plan website. I will post my career plan and chart my progress, and this site will be a tool in the process. For example, part of my career plan will involve reading books, and I can review them on this site to give valuable input for others from my learning.

Here are some of the categories I plan to cover on this site as I develop my career as a financial professional:

  • Risk Management
  • Tax and Regulatory Compliance
  • Human Resource Management and Supervision
  • Policy Making
  • Decision Making and Analysis
  • Forecasting and Budgeting
  • Professional Development
  • Strategy and “Big Picture” Focus
  • Investor and Lender Relations
  • Information Technology Tools
  • And More …