Financial control may be dull but it is important.
The recent case, involving a financial controller stealing £351,000 from her employer across 43 transactions in a three year period, illustrates the point.
The fraud involved the approval of supplier invoices that were processed and paid to the account of the financial controller.
Budgets are an important overarching expenditure control for all businesses and a first observation on reading this story is how can more than £100,000 a year not show up as a variance to be investigated? One answer may be that this is not material at the reporting level, in a large business. Another may be that the financial controller was responsible for, either budget preparation and built this in, or for explaining away variances and did a good job.
The information above suggests the average fraud was £8,200. This may be a lot for a small business but for a larger business processing thousands of supplier invoices per month it may be easier for one such transaction to pass through without too much attention being paid to it.
It appears, in this case, transactional control was based on manual approval signatures on an Invoice Approval Form. Investigation into the fraud arose because a Vice President (“VP”) saw a form carrying his signature and was sure he had not signed it.
Masterfile controls (supplier list and payment)
This fraud appears to have avoided any controls over the establishment of new suppliers by presenting additional invoices that appeared to be from existing suppliers.
This fraud appears to have relied on the ability to make payments utilising multiple bank accounts for each supplier. This can be the case where payments are made against the sort code and account number shown on the invoice, rather than bank details verified against each supplier. BACS payments do not check the name of the account just process against sort code and account number
Manual supplier invoice processing systems, utilising an Invoice Approval Form, or stamp, rely on two key listings
- the approval matrix: who can sign for what (often by department budget codes, or expenditure categories), and for how much.
- the approved signatory listing: A list matching printed names and related signatures.
The effective operation of these systems is dependent on the staff processing invoices being aware of both the authority register and the signatures. The passage of time often results in the authority register being replaced by custom and practice and knowledge of whose mark (signature) belongs to who becoming fuzzy. In the case at hand it appears that the “fake” signatures were a reasonable representation of the VP’s signature.
External auditors are unlikely to identify such frauds because their role is to focus on material misstatements of the financial accounts and not transaction level fraud. They do have a responsibility to ensure controls are adequate. As noted above manual supplier invoice processing systems may appear on the surface to be reliable.
They may catch such transactions in their samples but in a company processing thousands of invoices a year the 12 odd transactions required would stand a small chance of being selected. Even if selected their audit tests may not, in this case, have identified the fraud for example the approval signature may have been reasonably close to the one on the signatory list.
The auditor, just like the staff at the company, is not a handwriting expert.
The auditor’s primary concern is, if the transaction has been approved, is it properly identified in the accounts, not whether is it legitimate. The approval should be a good indication that it is legitimate.
Improving control over supplier invoice approval
In a manual supplier invoicing environment there is a way to improve control, it involves a lot of rigour, communication, focus and time. Staff may be working very hard and be very diligent but they are also pushed for time. They face a battle between being efficient and being in control. So perhaps on occasion they relax their rigour, reduce their communication and focus and just make things happen to save time.
There is a way to both improve control and gain time. It involves “going digital” and automating the accounts payable approval process using workflow.
Using workflow for an approval process introduces consistency. The rules established by the authority register are built into the workflow. An invoice requiring the VP’s signature is pushed to the VP for approval it can’t go to anyone else without the rules being changed.
The VP has visibility over all the documents they have approved and the documents that their delegates have approved. There is an audit trail covering each invoice from receipt to approval and visibility of where each invoice is in the process.
The system identifies each VP, and other user, through their user credentials, relying on sign on and password controls. There is no requirement for an additional digital signature which is often thought of as the digital equivalent of manually signing a document.
There is a certain false comfort around manual signatures as illustrated by this fraud. If you would like to know more about how using workflow can improve your supplier invoice approval process get in contact.