Internal Control/ Anti-Fraud Program Design for the Small Business The Wiley Corporate F&A series provides information, tools, and insights to corporate professionals responsible for issues affecting the profitability of their company, from accounting and finance to internal controls and performance management. Founded in 1807, John Wiley & Sons is the oldest independent publishing company in the United States. With offices in North America, Europe, Asia, and Australia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers’ professional and personal knowledge and understanding. Internal Control/ Anti-Fraud Program Design for the Small Business A Guide for Companies NOT Subject to the Sarbanes-Oxley Act STEVE DAWSON Cover image: © Sergey Nivens/Shutterstock Cover design: Wiley Copyright © 2015 by Steve Dawson. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rose- wood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied war- ranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002. Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com. Library of Congress Cataloging-in-Publication Data: Dawson, Steve, 1962– Internal control/anti-fraud program for the small private business : a guide for companies not subject to the Sarbanes-Oxley Act / Steve Dawson. pages cm. — (Wiley corporate F&A series) Includes index. ISBN 978-1-119-06507-4 (hardback); ISBN 978-1-119-08372-6 (ePDF); ISBN 978-1-119-08371-9 (ePub); ISBN 978-1-119-08373-3 (obook) 1. Fraud—United States—Prevention. 2. Small business—United States— Auditing. I. Title. HV6691.D39 2015 658.4′73—dc23 2014049431 Printed in the United States of America 10 9 8 7 6 5 4 3 2 1 To my wonderful wife, Ebeth, the matriarch of our incredible family and the strongest person I have ever known. Without your constant support, this work would have never become a reality. Contents Preface: Maybe It’s Time We Get Back to the Basics xi Acknowledgments xvii PPPAAARRRTTT III::: TTTHHHEEE AAANNNTTTIII‐‐‐FFFRRRAAAUUUDDD EEENNNVVVIIIRRROOONNNMMMEEENNNTTT::: TTTHHHEEE BBBLLLUUUEEEPPPRRRIIINNNTTTSSS,,, THE FOUNDATION, THE GROUND FLOOR Chapter 1: The Architect’s Blueprint: Establishing the Framework 3 The Elements of Anti‐Fraud Program Design 3 Anti‐Fraud Environment 4 Fraud Risk Assessment 4 Control Activities 5 Information: Program Documentation 6 Communication: The Company Fraud Training Program 6 Monitoring and Routine Maintenance 7 Chapter 2: Foundational Policies: The Fraud Policy 9 Foundational Policies 10 The Fraud Policy: The Essential Elements of an Effective Fraud Policy 10 Case Presentation 17 Chapter 3: Foundational Policies: The Fraud Reporting Policy 19 The Essential Elements of an Effective Fraud Reporting Policy 20 vii viii ◾ Contents Chapter 4: Foundational Policies: The Expense Reimbursement Policy 29 Case: “No Questions Asked” 29 Case: “It Will Never Be Missed” 30 Case: Larry the Chief Financial Offi cer 31 The Elements of an Effective Expense Reimbursement Policy 32 Appendix 4A: Expense Report Form 39 Appendix 4B: Supplemental Business Meal and Entertainment Charges Form 40 Chapter 5: The Ground Floor: The Fraud Risk Assessment Process 41 Ground Rules for Fraud Risk Assessment 42 An Example of Risk Assessment 43 Procedural Steps for Performing a Fraud Risk Assessment 44 Cash in Bank 48 Case: The Trail Is Gone 50 Case: Friends in Low Places 51 Asset Misappropriation 52 Corruption 53 Financial Statement Fraud 53 PPPAAARRRTTT IIIIII::: AAANNNTTTIII‐‐‐FFFRRRAAAUUUDDD CCCOOONNNTTTRRROOOLLL AAACCCTTTIIIVVVIIITTTIIIEEESSS::: RAISING THE WALLS Chapter 6: Control Activities: The Absolutes 57 Critical Principles of Control Activity Design 57 Foundational Control Activities 59 Case: The Mail Drop in Las Vegas 64 Appendix 6A: Confl ict of Interest Form 67 Appendix 6B: New Vendor Establishment Form 68 Chapter 7: Control Activities: The Segregation of Duties Dilemma 69 But I Only Have Two Employees 69 Prevention versus Detection Controls 70 The Necessary Review Processes 72