The Internal Control System of Clive Peeters in Light of the Embezzlement Case - Research Paper Example

i LETTER OF TRANSMITTAL Enclosed is our report on the events that precipitated the suspension of the trading of Clive Peeters shares in August 2009, namely the embezzlement of close to $20 million by its Payroll Manager, and the subsequent efforts to recover company funds. The misappropriation of cash for transfer to the account of the offender and related parties and subsequent purchase of real estate and personal assets had caused considerable cash difficulties on the part of the company. The incident indicated deficiencies in the internal control system of Clyde Peeters Ltd., as well as some shortcomings on the part of management and its auditors. Despite management claims that an internal control system had been working efficiently and effectively, evidence points to real deficiencies that required correction. The Board of Directors instituted some structural and procedural changes that could equip the company with the needed skills and readiness to confront future challenges of the same nature. We have recommended some specific changes in the companys practice with respect to its payroll method, namely, a return to the paycheck method instead of Internet banking which uses direct payment; or alternatively, a better way of conducting and monitoring its Internet banking activities related to payroll. We also recommended consideration of purchasing fraud monitoring and control software which can automate a continuous process of supervision and control that will safeguard its business assets and ensure accurate and reliable financial reports. TABLE OF CONTENTS Contents Page Introduction 1 Background facts 1 Financial impact of the misappropriations 2 Measures adopted by management 2 The importance of internal control system 3 Internal control system at Clive Peeters 5 Implications on the internal control system 6 Internet banking 7 Conclusion 8 Recommendations for CQUniversity 9 Bibliography 11 CLIVE PEETERS: A STUDY IN INTERNAL CONTROL Introduction The purpose of this report is examine the internal control system of Clive Peeters in light of the embezzlement case that occurred before, during and shortly after FY June 2009, and their implications with regard to possible changes for the future. The embezzlement of a significant amount of cash had considerable impact on the financial condition of the company during that year and served as a warning to the companys management that changes would be needed in order to avoid any future occurrence of the same incident. This report will examine the facts of the embezzlement case and their implications for the company and its internal control system. It will also analyze the payroll method which gave rise to the opportunity for fraud and recommend alternative solutions. Background Facts Clive Peeters Ltd announced on August 11, 2009 that it had discovered accounting discrepancies in its payroll accounts which showed that a staff member (Payroll Officer Sonya Causer) had transferred cash out of the business to her bank accounts and the bank accounts of related parties; and that the funds were used to buy and sell real estate. The total misappropriated cash was $19.366 million. The misappropriations were accomplished through falsification of entries in the companys payroll accounts. The company also announced that it was seeking recovery of real estate and other assets,with regard to which Ms. Causer and related parties were cooperating, and that the Victorian Supreme Court had ordered the transfer of the said assets to the company and the freezing of the bank accounts of the offenders.1 ---- 1Data in this section were taken from several online sources, from blogs and newspaper reports. 2 The missing total cash included $818 thousand misappropriated in July 2009. This amount was to be reflected in the ensuing fiscal period ending June 2010. The recoverable amount for 2009 was to exceed $16.366 million after deducting mortgage and transaction costs because of expected loss on sale of the properties in the sum of $3 million. On top of that, the legal, investigation and other costs were estimated to amount to $1.815 million, for a total cash outflow of $4.815 million. For the said fiscal year ending June 2009 the total misappropriated cash was $18.548 million, which means that after deducting the relevant cash outflows, the net proceeds from the recovery could be $13.733 million. Despite the accounting discrepancies, the company reported that the " view expressed by the Managing Director and the Chief Financial Officer is that these misappropriations occurred despite the sound system of risk management and internal controls that existed within the business which were operating efficiently and effectively in all material respects in relation to usual and foreseeable financial reporting risks."2 Financial impact of the misappropriations During the period in which cash misappropriations were being committed prior to, during, and after FY 2009, the company was steadily experiencing cash problems that affected its trading performance beginning in the fourth quarter of 2008 and worsening in the second half of the fiscal year. The company stated that there were interruptions in supply of trading inventory, adversely impacting sales. When the fraud was detected in early August 2009, the huge amount of $19.4 million had left a wide gap that caused a negative cash flow from operations of $9.2 million instead of a positive cash flow of $9.2 million. Measures adopted by management Despite claims that a sound system of risk management and internal controls were working efficiently and effectively, the management initiated measures aimed at "guarding against the types of exceptional ---- 2Notes to Financial Statements, Annual Report 2009, Clive Peeters Ltd. 3 circumstances that were involved in the misappropriations." 3. The companys Board, stating that it was to govern rather than manage the company, stated that its functions and responsibilities with regard to the implementation of appropriate strategy included mainly collaboration with senior management to set the corporate objectives and appropriate strategic direction - and the regular review and updating thereof -- as well as to ensure that an "an appropriate set of internal controls are implemented and reviewed regularly." The Board also established an Audit, Business Risk and Compliance Committee, to which was delegated the responsibility for "maintaining a framework of internal control and ethical standards. . . " The main objective of that Committee was the establishment of an effective internal control framework and an independent, objective review of financial and other information by management, particularly in the discharge of the companys responsibilities relating to, among others, the protection of company capital and the risk management systems. Among other functions related to audit, it was to review and report to the Board that a system of control established by management effectively safeguards the assets of the business. In addition the Managing Director and Chief Financial Officer were tasked to provide a written statement to the board that the financial report was based on a system of risk management and internal compliance and control; and that the said system was operating effectively in all important respects. The importance of internal control system According to the Accounting Standards Board, internal control "comprises the plan of organization and all of the coordinate methods and measures adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to managerial policies."4 The importance of internal control has grown over the ------ 3Ibid. 4ASB Codification of Statements on Auditing Standards (New York: American Institute of Certified Public Accountants, 1979) Auditing Section 320.09 4 years owing to the increasing scope and complexity of many business operations, which require numerous reports and analyses for control purposes; the need to protect businesses against human weaknesses, errors; and irregularities; and the economic impracticality of audits without reliance on an internal control system.5 Auditors and accountants are cognizant of the fact that internal control systems are designed towards the safeguarding of assets, the reliability of financial records, and transactions. Assets need to be protected against losses that may arise form unintentional or “intentional” errors. The latter include irregularities and embezzlements arising from breach of trust, and losses due to falsification of records such as payroll padding. Financial records have to be accurate and reliable for both internal use and for compliance with external reporting mandates. Transactions have to follow a standard system flow that includes authorization, execution, recording, and accountability. The design, installation, maintenance, and supervision of the internal control system is the responsibility of management. The design and installation require careful and detailed planning and preparatory work, including staff training in the application of control procedures. The system of internal control must be subjected to continuing supervision and periodic tests, reviews and amendment so that it remains effective and relevant amid changing conditions. Monitoring and surveillance is often delegated to an internal auditor. Further, the internal control system must provide reasonable assurance that its objectives (safeguarding of assets and reliable financial reports) are achieved at reasonable cost; and it must also contribute to, rather than hamper, operational efficiency. Finally, an internal control system should be a dynamic and proactive system that responds to changes in the operational and external environment, including changes in data processing methods arising from new technological innovations. Textbooks on auditing and accounting information systems identify certain essential features of an effective control system, namely: segregation of functions, authorization procedures, documentation ----- 5See Walter G. Kell, Richard E. Ziegler and William C. Boynton. Modern Auditing. 7th ed. (New York: John Wiley & Sons, 2000) 106 5 procedures, accounting records and procedures, physical control of assets and accounting records, and independent internal verification. Together, these features if carried out correctly will ensure that the goals of the internal control system are achieved. With these concepts in mind, the present task is to examine what can be gleaned from available sources about the internal control system at Clive Peeters Ltd. Internal control system at Clive Peeters There is very little information on the internal control system being used in Clive Peeters Ltd other than general statements on the matter expressed in its Annual Reports. This creates a rather biased view because whatever merits it may have is being overshadowed by a single case of a flagrant breach committed by its payroll manager. Thirty-eight year old Sonya Causer worked for Clive Peeters Melbourne head office for 3 years, receiving an annual salary of $125,000. Seven months after being promoted to payroll manager of the whitegoods and electrical retailer, she began transferring cash from the company to her own bank account and to the account of her company, M & S Business Enterprises. She took advantage of an “Internet banking loophole” (the specifics of which were not disclosed) of her company with the National Australia Bank. During a period of over a year she had siphoned off nearly $20 million without arousing managerial suspicion until late July 2009 when a co-worker, an accountant, discovered a $2 million discrepancy in the accounting records. It was learned that during the period of over a year, Ms Causer purchased some 43 real estate properties in Melbourne and its suburbs and in other cities in Tasmania and Queensland, including the home she and her spouse lived in, and bought three cars for her private use. Many of the real estate properties had been generating rental income.6 According to news reports, Ms Causer falsified payroll records to transfer cash to her own bank account. She was a signatory to her companys account, being a senior member of her companys Finance Team. She covered her trail by changing financial records, thus her crime did not become apparent to the management, co-workers, and internal auditors. On July 29, 2009, an office colleague --- 6 See news item at http://www.standard.net.au/news/national/national/general/peeters-left-reeling-by-20m-sting/1593572.aspx 6 discovered a $2 million discrepancy between two ledgers. A subsequent examination by auditors revealed that there was a much larger deviation, and the discovery of $7 million was quickly reported to the Securities and Exchange Commission at the end of that month as a basis for the suspension of trading of its stocks. The amount of fraudulent transfers ballooned to $20 million on succeeding investigations. Initially rationalizing that she falsified entries in order to "help the company," she later admitted to the full extent of her crime before the Board and Mr. Greg Smith, the Managing Director, on August 4, 2009. Ms. Causers accumulated assets from the theft exceeded the pre-tax earnings ($17.3 million) of the company in FY 2009. While civil action was being taken to freeze her assets and transfer them to the company, she had been suspended, and no criminal action had been taken. Causer and her husband had their assets frozen and the couple had to live on no more that $1000 each a week and could only spend $10,000 on legal expenses, the Sydney Morning Herald said. Implications on the internal control system Ms Sonya Causer was a well-paid Payroll Manager who had been promoted presumably because of meritorious performance in her job. She was also a member of the Finance Team with authority to co-sign checks and other papers. It was not hard to see that she was trusted by most everyone, a situation that can cause potential problems in any organization. Considering the brazenness of the continuing theft over an appreciable period of time, there would have been plenty of signs that the people in Clive Peeters chose to ignore or downplay. A high degree of trust can desensitize everyone from recognizing anything that might smack of an irregularity. One blog writer even said that the non-detection of fraud "beggars belief." The case brings to mind another case of embezzlement described in the Trolley Dodgers case.7 Campos, the payroll officer of Trolley Dodgers, was well respected for his work ethic and loyalty to the club and its owners. He embezzled several hundred thousand dollars by padding the clubs payroll, --- 7Knapp, Michael C. Contemporary Auditing: Real Issues and Cases, 4th ed. Cincinnati, OH: South-Western Publishing Company, 2001 7 adding fictitious employees and inflating the hours worked of some, splitting overpayment with those individuals who benefited from his scheme. While he was on sick leave, the controller discovered the misappropriations. Campos was sentenced to 8 years in jail and ordered to make a restitution to the Dodgers. The amount misappropriated pales in comparison with that of Ms. Causer, however. The Clive Peeters embezzlement case involved the use of Internet banking. It seemed that nobody else understood Internet banking and the specific risks and the loopholes direct payment to bank accounts entailed. Also, the risk of fraud even within an internal control system is increased when there is pressure or incentive to commit fraud, where there is an opportunity, and where the fraudster can rationalize on her deed.8 Ms. Causer was able to rationalize by saying that she was intending to help the company. It appears that the internal control systems was deficient, or its implementation was tainted by ignorance, laxity, or indifference – or any combination thereof – by all those responsible for safeguarding the assets of the business. Internet banking Internet, or electronic, banking offer s an online facility which provides users with the ability to undertake various banking functions, such as checking account balances, fund transfers, or direct debit/credit.. A dedicated Internet banking software has the ability to process payroll and related payments whereby the payment is directed to one creditor/payee only and includes detailed audit trails or transaction reports that yield a high degree of data validation and security.9 However, in the Clive Peeters case we can only speculate that the loophole existed because its bank did not use such a software. This was exacerbated by the lack of familiarity of the risks inherent in a direct payment method on the part of management and the auditors. Unlike payment by check, which uses an imprest system – one where the monies are transferred to a payroll account in a bank preparatory to disbursement and targeted to have a zero balance after the payment period -- Internet banking simply transfers funds from the companys checking account to the employees bank account. This probably accounted for the huge amount that were taken from the company. --- 8 http://www.corporatecomplianceinsights.com/tag/internal-audit 9 “Internet banking.” Department of Education and Early Child Development, Victoria www.eduweb.vic.gov.au/edulibrary/public/.../Internet_Banking.doc - 8 Periodic cash budgets also serve to give management a warning whenever deviations become significant, as it would certainly have occurred. Yet no action was taken to check the cash budgets and the attempt to unearth the causes of the substantial deviations. We are therefore tempted to conclude that the company did not have a decent internal control system, and if there was any, the appropriate rules and procedures were not followed. In most fraud-aware companies, the internal control system is periodically reviewed and tested for their efficacy in terms of preserving corporate assets and ensuring the accuracy and reliability of its financial reports. From the known facts, we can deduce that the management and the auditors were remiss in their duties. Conclusion The embezzlement incident at Clive Peeters was so blatant that it boggles the mind how management and the auditors could have missed it while it was going on for over one year. A skeptic may tend to speculate that the theft was sponsored by management and that everything else, particularly the aftermath, was staged-managed. This is bolstered by the fact that the management has not filed criminal charges against Ms. Causer. The stockholders could possibly think of having the management investigated for its negligence and possible participation in a conspiracy. Setting this notion aside, we say that the response of the Board of Directors and senior management of Clive Peeters to the crisis looks proper in the sense that it recognized the need for an effective internal control system and the institution of organizational and procedural changes. We are not sure, however, about how this was going to be carried out at the operational level. In general, it may be stated that the company should be guided by the principles of risk awareness (for both business and strategic risks) and fraud awareness throughout the organization, and creating a hotline reporting process for whistleblowers. An incentive system for whistleblowers can encourage reporting of fraud by subordinates whenever fraud is committed by one in a position of authority. 9 Recommendations for CQUniversity Initially, the management may consider reverting back to the paycheck method of compensating its employees. Despite the inconvenience of preparing checks, it will ensure that only so much money can be withdrawn as budgeted for salaries and wages through the imprest system. If management must insist on using direct deposit method within the framework of Internet banking, in view of certain advantages such as the economy and convenience considering that there are many employees in its payroll, certain guidelines must be observed in order to avoid overpaying employees due to overstated time and attendance data and crediting the accounts of fictitious employees. A proper segregation of duties will ensure that different individuals perform the tasks of authorizing and making changes in the payroll master file, recording and verifying work data, and preparing the disbursement schedule to be transmitted to the bank. The following model of internal control for payroll payments using Internet banking can be set up for CQ University, similar to the system adopted by Yale University: 10 1. Any payments must be authorized by two people, inasmuch as payment through an Internet banking is like any other form of payment. 2. Proper authorization and approval of the initial setup of account details and the ensuing transactions against the accounts. 3. Appropriate segregation of duties that will ensure that the accounts are accurate and legitimate. 4. Accuracy and completeness of all details, verifiable by a responsible officer. 5. Documentation on all transactions is kept under separate custody of the university. 6. Complete security and confidentiality of data. Fraud control software. The University may consider the acquisition and use, as appropriate, of software to do fraud data interrogation for governance, risk and compliance (GRC) programs, a --- 10See Yale University Guides: Policies, Procedures, and Forms. Revision July 2002 [online]; accessed 29 Dec. 2009; available from http://www.yale.edu/ppdev/Guides/fpm/ICGuidePayroll.pdf 10 decision which is becoming popular with thousands of companies worldwide, according to news reports.11 Such software programs are used for data analysis, continuous audit, and fraud detection and investigation. One leading software in the market is continuous controls monitoring (CCM) which seeks to mitigate risks and optimize operations. Another software, the ACL AuditExchange business assurance platform, aims to yield insights into errors, inefficiencies and fraud. Other products that an university administration may consider in order to enhance its internal control system are ActiveData for Excel, IDEA, and Microsoft Excel and Acess. --- 11For a detailed description, see http://www.informationactive.com/data/attachments/fraudsoftware.PDF 11 11 Bibliography Bell, Erich. “Internal Control Checklist: 5 Anti-Fraud Strategies to Deter, Prevent, and Detect Fraud” February 16, 2009 [online]; accessed 29 December 2009; available at http://www.corporatecomplianceinsights.com/tag/internal-audit Carson, Vanda, and Lucy Battersby, "Peeters left reeling by $20m sting" The Standard, Victoria [news online]; accessed 27 Dec. 2009; available at http://www.standard.net.au/news/national/national/general/peeters-left-reeling-by-20m-sting/1593572.aspx Clive Peeters Annual Report 2009. Notes to the Financial Statements [online] accessed 27 Dec. 2009; available at http://www.clivepeetersltd.com.au/Investor-Relations/~/media/Corporate%20Files/2009%20Annual%20Report.ashx Fraud software, InformationActive [online]; accessed 27 Dec. 2009; available at www.informationactive.com/data/attachments/fraudsoftware.PDF) Kell, Walter G., Richard E. Ziegler and William C. Boynton. Modern Auditing. 7th ed. New York: John Wiley & Sons, 2000 Knapp, Michael C. Contemporary Auditing: Real Issues and Cases, 4th ed. Cincinnati, OH: South-Western Publishing Company, 2001 “Internet banking.” Department of Education and Early Child Development, Victoria [online]; accessed 27 December 2009; available at www.eduweb.vic.gov.au/edulibrary/public/.../Internet_Banking.doc Romney, Marshall B. & Paul J. Steinbart. Accounting Information Systems. 11th ed. New York: Prentice Hall, 2008 "The Trolley Dodgers," Case 2.3. In Michael C. Knapp. Contemporary Auditing: Real Issues and Cases, 4th ed. Cincinnati, OH: South-Western Publishing Company, 2001; and [online]; also available at http://sjjx.znufe.edu.cn/jxzy/aljx/200704/P020070429019018107468.pdf Yale University Guides: Policies, Procedures, and Forms. Revision July 2002 [online]; accessed 29 Dec. 2009; available from http://www.yale.edu/ppdev/Guides/fpm/ICGuidePayroll.pdf Read More