Focus on Law Firms: Managing Law Firm Fraud Risks – An Internal Control Checklist
Although the majority of employees are honest, a trusted employee will steal when three elements exist: pressure, opportunity and rationalization.
- Pressurearises when an employee is faced with a significant financial problem that he/she may feel unable to discuss with, or seek help from, others.
- Opportunityis present when the employee believes that he/she will be able to commit the fraudulent act without being detected.
- Rationalizationis how the employee convinces himself/herself that stealing is okay. An attitude of “just this once” or “I deserve it” can provide the justification to commit a fraud.
By focusing on reducing the opportunity, law firms can strengthen internal controls and mitigate the risk of employee fraud.
What Makes Law Firms Susceptible?
Every organization is affected by fraud. However, the following circumstances can make law firms especially vulnerable to employee fraud.
- Lawyers tend to focus on serving their clients and the practice of law. Day-to-day operations are often delegated to employees with a significant amount of autonomy and limited oversight.
- Small firms, where employees are trusted to take on everything from client billing to opening mail, are especially vulnerable. Small firms have small staffs, and may find implementing internal controls or segregating certain job functions difficult.
- Because lawyers are required to keep clients’ money separate from their own, large sums of money can sit idle for long periods.
- When lawyers commit fraud, their legal skills can help them perpetrate or conceal the fraud.
Internal Control Considerations
A strong internal control environment is not just a best practice; it is a way to protect both the law firm and its employees. Below are 30 internal control recommendations to consider. Each firm should carefully review their internal controls to implement processes that are consistent with the risks, needs, and size of your firm.
- Identify risks:
Perform periodic fraud risk assessments to identify the vulnerability to, and significance of, fraud occurring in your law firm. Seek feedback from employees at all levels and responsibilities in this process.
- Build culture:
Build a highly ethical culture and communicate each employee’s responsibility to deter fraud and report suspicious behavior. Personnel and conflict of interest policies.
- Delegate responsibly:
Financial controls should not be over delegated. Owners should stay engaged in the finances and be active participants in monitoring internal controls. Prepare a formal delegation of authority document that outlines how the firm allows for the responsible delegation of duties from one to another while maintaining ultimate responsibility.
- Employee screening:
Preventing theft starts with hiring the right people. Law firms should conduct comprehensive background checks on all hires and verify employment history, references and application information. Consider conducting credit checks, especially on employees that will be involved in accounting functions.
- Segregation of duties:
In its most basic form, law firms should separate custody from reporting activities. No one person should have complete control over the management of funds or assets.
- Written policies, procedures and job descriptions:
Develop an accounting manual and outline job duties in written job descriptions. In addition, require employees to sign a conflict of interest policy and code of conduct policy annually.
- Trust accounts:
Develop the highest standards for trust accounts. Require two signatures for any trust account transactions and limit electronic activity. Have multiple people monitor trust accounts, including one independent professional. Consider establishing individual trust accounts for clients and allowing them to review their account activity online.
- Bank statements:
Have the monthly bank statements delivered to and reviewed by an owner of the firm. In addition, consider implementing a surprise inspection of the monthly bank statements before they are delivered to the firm on at least an annual basis.
- Adequate source documentation:
Disbursements for goods or services should only be made when there is an original invoice present. Do not approve disbursements based on a statement alone.
- Approval thresholds:
Adopt a policy of escalating approval level for expenses. Prepare a formal document that outlines who can approve transactions at specified monetary levels. For example, disbursements over a stated amount may require dual signatures or approval from the board.
- Mail and bank deposits:
Have someone other than the bookkeeper open the mail and prepare a list of all checks/cash received. Also, consider having this employee apply a restrictive endorsement (“for deposit only”) upon receipt. The person responsible for the mail can then route the list to the office manager and send a copy to the person responsible for making the bank deposit, along with the checks/cash received. Assign someone the responsibility of preparing the bank deposit and taking it to the bank. Someone else should ensure that the deposit slip, the check/cash list and the deposit receipt from the bank all agree.
- Client statements:
The office manager or someone without client billing functions should generate and mail monthly client statements.
- Check signers:
Your bookkeeper, or persons responsible for preparing, recording or reconciling disbursements, should not have check signing authority. Based on your firm’s delegation of authority, two check signers may be required. Do not pre-sign checks and avoid use of signature stamps if possible.
- Electronic payments:
Do not allow an employee to execute an electronic payment without the established approval process. This can be easy to do, because a check is not presented, with supporting detail, for review and execution by the check signer.
Outsourcing your payroll and implementing direct deposit can help mitigate the risk of payroll fraud. Require at least two approvals for any change to salary, pay rates or payment frequency. Review each payroll file for reasonableness. Consider using a dedicated zero balance account form payroll disbursements. Maintain detailed payroll registers which include each payroll check, gross amount, withholdings and net pay amount. An individual not involved in the cash disbursement process should regularly review payroll registers, annual T-4’s, payroll tax reporting and Employer T4001 (payroll deductions and remittances) and T4130 (taxable benefits and allowances)’s. Revised to reflect Canadian requirements)
- Company credit cards:
Carefully monitor the use of company credit cards. Balances that are paid directly by the law firm should have protocols in place to ensure that the transactions are properly reviewed, business purpose documented, security measures taken and supporting documentation reviewed before the payment is made.
- Employee expense reports:
Carefully review expense reports submitted by employees. Require that an employee expense reporting form is completed, the business purpose is documented and supporting documentation is provided. Require approval by a superior before being submitted for payment.
- Systems access:
Restrict and monitor access to application and data files. Use audit trail controls. The managing partner should also maintain an up-to-date list of logons and passwords of financial users. In the event of an employee separation, ensure that access is restricted and passwords are changed.
- Rotate duties:
Rotate job duties when possible, ensure that vacations are mandatory, and require that the vacationing employee’s responsibilities are to be performed by another competent person during their absence.
- Reconciliation of bank accounts:
Bank accounts should be reconciled at least monthly. With electronic banking, reconciliation can easily be performed more frequently.
Obtain adequate fidelity (crime and fraud) insurance to safeguard against employee fraud.
Establish a confidential means to report suspected fraud.
- Bank security features:
Research the security features your bank can provide. These features may include lockbox services, blocks/filters and call-backs on EFT and wire transfers, positive pay and online banking security features.
Bill timely and review any unbilled time regularly. Require approval for write-offs or to hold billing in excess of specified thresholds. Follow up on accounts receivable balances regularly.
- Journal entries and void transactions:
Limit and perform a thorough review of manual journal entries and voided transactions.
- New vendors:
Require that vendors be established and approved in the accounting system before a disbursement can be approved. Require that a vendor’s information includes the vendor name, address, email, phone number, contact name and account number. Use purchase orders if possible. Obtain information necessary for GST and other tax reporting, as applicable.
- Red flags:
Watch for behavioral red flags. An employee living above his or her known means, starting up a personal side business, or facing financial, significant health, gambling, or substance abuse problems are all behavioral red flags to watch.
- Financial reporting:
Prepare and distribute financial and management reports regularly. Approve an annual budget and review discrepancies between budgeted and actual results regularly.
- Lock up sensitive data:
Ensure that employees do not leave access into the system unattended and lock up anything left in the office at night.
- Trust, but verify:
Properly supervise your employees and follow up on issues or irregularities identified. Using data analytics can be an effective way to test whether the internal controls are working as intended, and identifying potential irregularities.
Remember, there are no absolute ways to eliminate fraud, but segregation of duties and practical consideration of internal controls can set the tone at the top and go a long way towards protecting the assets of your law firm.
- Organizations lose 5% of their annual revenue to fraud.
- Fraud cost organizations, on average, $150,000 per incident.
- The fraud went undetected for an average of 18 months.
- Fraud is most often detected by a tip.
- Organizations with reporting hotlines detected fraud faster and incurred fewer losses.
- Proactive data monitoring was associated with 54% lower losses and fraud was detected in half the time.
- The most prominent organizational weaknesses that contributed to the fraud were: lack of internal controls, lack of management review, and the override of exiting internal controls.
Published by RubinBrown, Certified Public Accountants & Business Consultants
E-Focus Newsletter, June 23, 2016
You can access the full report here.
Source: ACFE Report to the Nations on Occupational Fraud and Abuse, 2016 Global Fraud Study
Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.