Skip to content

Understanding financial controls: Minimizing risk for employee theft in a card office

Like it or not, people steal. They steal from everywhere. When they steal from a home its called burglary, from a bank its called robbery, and from an employer its called embezzlement. And it happens on college and university campuses far more often than many imagine. If you doubt this, conduct a quick Internet search and you’ll find numerous references to embezzlement by campus personnel. If we are not aware of it and take steps to prevent it than we, in effect, create an environment that breeds embezzlement.

Factors that encourage embezzlement include the accepting and dispensing of cash, a high volume of transactions, atypical transactions (e.g. those not taken via a cash register with a receipt printer), and poor internal controls.

According the University of California’s Guide to Understanding Internal Controls (UC Guide), an internal control is “a process designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.” From a financial standpoint, internal controls help ensure that books balance, assets are protected, and the likelihood for theft/fraud is reduced.

Key to this definition is the concept of ‘reasonable assurance.’ Internal and financial controls are balancing acts designed to weigh risks against the controls required to limit these risks. It is possible to completely eliminate a risk but typically the results would be unacceptable. For example, the risk that an employee could steal from petty cash could be eliminated by eliminating the petty cash drawer altogether. This control, however, is unacceptable in that petty cash serves a valuable function in day-to-day business operations. A more reasonable control would be to require written receipts or confirmations for all petty cash transactions, limit access to the drawer to a single employee, establish periodic drawer counts by a person other than the drawer’s custodian, etc.. This more acceptable process would provide the sought after ‘reasonable assurance.’

The UC Guide further describes this balance by examining excessive risks and excessive controls:

Excessive Risks Examples
Loss of Assets, Donor or Grants
Poor Business Decisions
Noncompliance
Increased Regulations
Public Scandals

Excessive Controls Examples
Increased Bureaucracy
Reduced Productivity
Increased Complexity
Increased Cycle Time
Increase of No-Value Activities

Just like in the crime dramas, for an employee to steal from your operation there must be motive and opportunity. The motive or motivation is situational pressure felt by an individual for additional money or things that money can bring. One could argue that some degree of motivation to steal exists in nearly every employee. All have bills to pay. But when motivation increases due to family problems, illness, or other circumstance is when most embezzlement begins. Opportunity is really just access to an environment in which the theft can be committed. As administrators, we cannot control an employee’s motives but we can impact their opportunity via effective internal controls.

Certain types of activities and transactions conducted in our campus business units should be watched as high risk situations for fraud. These include:

  • Petty cash
  • Cash Receipts (card office, bookstore, parking, ticket office, etc.)
  • Consultant Payments and Other
    Payments for Services
  • Travel Expenditures
  • Payments to Non-Vendors
  • Equipment Delivered Directly to
    Department
  • Purchase Exemptions (sole source)
  • Equipment Moved Off-Location

Types of internal controls
Controls can be viewed in two categories, preventive controls that attempt to deter theft before it can occur and detective controls that attempt to identify a theft after it has occurred. Both are key to a successful enterprise.

According to the UC Guide:

“Preventive controls attempt to deter or prevent undesirable events from occurring. They are proactive controls that help to prevent a loss. Examples of preventive controls are separation of duties, proper authorization, adequate documentation, and physical control over assets.”

“Detective controls, on the other hand, attempt to detect undesirable acts. They provide evidence that a loss has occurred but do not prevent a loss from occurring. Examples of detective controls are reviews, analyses, variance analyses, reconciliations, physical inventories, and audits.”

It is very likely that your institution has established a written policy for internal controls. Make sure that every one of your managers has a copy and understands it.

The biggest key to combating embezzlement is to learn to be observant. Use common sense as you view your operations and look at situations as if you were considering theft. Where are the weak points in your organization. Remember, one of the most common indicators of embezzlement is often right before your eyes. Know your employees and take an active interest in their lives. If you notice a drastic change in life-style that comes from an increase in discretionary spending, pay particular attention. This could be a sign of good fortuneon the employee’s part or it could be a sign of a problem in your financial controls.

A checklist of financial controls

The list below is provided simply as an overview of specific controls that are particularly relevant to reducing the opportunity for theft in a campus card office. The list is by no means exhaustive, but is presented as a means to encourage discussion and thought about this important, and too often overlooked, topic. (Note: The correct answer to each of these questions is ‘YES’).

  • Are employees who handle cash and securities bonded?
  • Are all such employees required to take annual vacations?
  • Are their duties assigned to others during the vacation period?
  • Is top-level manager satisfied that all employees are competent and honest?
  • Are job references checked?
  • Are budgets and cash projections used and compared to actual results with discrepancies investigated?
  • Are cash receipts centralized in as few hands as possible?
  • Is the receipt of cash provable by other records?
  • Are persons receiving cash banned from access to accounting records?
  • Are incoming receipts controlled by persons other than those having access to accounting records?
  • Is mail opened by a person having no access to cash receipts records?
  • Are each day’s receipts deposited promptly and intact?
  • Is the cashing of checks from daily receipts forbidden?
  • Are all disbursements except for petty cash made by check?
  • Does someone other than the person recording cash receipts prepare deposits?
  • Is an authenticated duplicate deposit slip received by someone other than the persons receiving cash, making the deposits, and recording cash receipts?
  • Does someone other than the bookkeeper or person who maintains accounts receivable detail:
    (1) Open the mail and pre-list all cash receipts before turning then over to the bookkeeper?
    (2) Stamp all checks with restrictive endorsement “for deposit only” before turning them over to the bookkeeper?

(Sources: Small Business Administration’s Internal Financial Controls for a Small Business, American Institute of Banking’s Essential Financial Considerations for Not-for-Profit Organizations)

Recent posts you might like

EVENTS AND WEBINARS

Receive the latest news

Subscribe to our weekly newsletter

The latest campus ID and security insight sent directly to your inbox.
Receive the latest news

Subscribe to our weekly newsletter

The latest campus ID and security insight sent directly to your inbox.