Several years ago, while working as a compliance officer for a multinational corporation, I received a telephone call from an employee (let’s call him “John”) who wanted to meet at an offsite location. The renzdevous was to talk about a compliance issue that he was too frightened to discuss in the office. I took down the address of the hotel where he was located and drove to meet him.
When I arrived at the hotel lobby, I saw a visibly nervous young man sitting in a lounge area who I surmised correctly was the person who called me. John explained that he worked in our firm’s accounting office and had discovered what he believed to be a scheme carried out by the company’s CFO (let’s call him “Sam”) to defraud the company of hundreds of thousands, if not millions, of dollars. John told me that he came across some documents that raised his suspicions while performing his routine accounting work. Then, to ensure he would not be noticed, John came into the office on a Saturday and started digging through the files to verify his suspicions. What he discovered was indeed breathtaking.
He pulled copies of the documents from his briefcase and spread them across the coffee table in front of us. Taking them one at a time, John was able to show me that the company’s CFO was cashing our company’s checks made payable to a computer company that was supposedly one of our approved vendors. Upon inspection, it was readily apparent that the signature on the back of the cashed checks was identical to the CFO’s. John further reported that he found hundreds of checks dating back many years.
The evidence of fraud was so convincing, I took immediate steps to preserve evidence. Sam was out of the office that day, so I managed to change the locks on his office door and the combination for the lock on the exterior office entrance without him knowing. We also removed Sam’s access to the company computer systems and began preparations to confront him with the evidence of his wrongdoing when he returned to the office on Monday.
We intercepted Sam when he arrived at work Monday morning and brought him to the office of the human resources VP where I was waiting with Sam’s boss and the head of HR. At first, Sam denied any wrongdoing. But when his boss pushed copies of the cashed checks with his signature on them across the table and asked for an explanation, he quickly admitted to the fraud.
We learned that Sam had created a fake company and used forged documents to open up a bank account. Sam would then send fake invoices to our firm and instruct his subordinate to allow him to handle that account. Sam had control of the key to the company’s check signing machine, and took advantage of our bank covenants that permitted machine signatures of company checks up to $5,000 without a counter signature. All the invoices from the dummy computer company were for amounts under $5,000. He would use the check-writing machine to produce the checks and mail them to a P.O. box specified on the invoice. After retrieving the checks from the P.O. box, Sam would sign the checks and deposit them in a bank account he set up for the fake company. Sam did this on a weekly basis for 10 years, stealing over $2,000,000 from our firm.
Following Sam’s inculpatory interview, I drove to the local FBI office and provided evidence of Sam’s crime, which led to his conviction and a jail sentence.
As you might expect, in the post-investigation assessment that followed, we performed a very thorough review of our financial controls. In so doing, we learned a lesson that I’ve never forgotten. Our financial controls were textbook perfect. All the necessary checks and balances were in place. However, there was a fundamental weakness that we had failed to account for — the tendency of even the best financial professionals to follow what their boss tells them to do regardless of whether it contradicts the rules.
A single individual in our accounting office was responsible for validating the authenticity of all invoices through various means. By all accounts, the employee assigned this task was a stickler for following the rules with everyone in the company. But she made an exception for Sam because he was the CFO and her boss.
We learned that our controls were grounded on the false premise that we could effectively mitigate fraud risk merely by drafting and training staff on the procedures in our finance manual. When developing and implementing our controls, we failed to take into account the overwhelming power of social dynamics in driving behavior. Specifically, we failed to develop and implement training programs to counter the enormous pressure employees feel in a hierarchical organization to follow orders from their superiors — even when doing so runs contrary to written company mandates. I suspect that your company’s controls suffer from the same weakness.
The fact of the matter is that checks and balances built into your firm’s compliance controls are not self-implementing. They all require individuals to apply them consistently regardless of pressure they may feel from others to do the contrary. This, rather than poor drafting, is the weak link in most, if not all internal controls.
One way to strengthen this weak link is through the development and implementation of compliance training programs specifically aimed at helping employees understand that they are empowered to say “no” to anyone who asks them to break the rules regardless of the rank of the requestor. They should also be trained on the proper procedures for granting exceptions to policy — which may be required on occasion — that would require approvals from multiple individuals.
Regardless of how you choose to fix this issue, remember that your internal controls are only as strong as the people who you rely upon to implement them.