Jane Dosh was the comptroller and a trusted employee at Smith Interior Design Co. (SID), a small and close-knit professional services firm catering to high net-worth families and individuals, for almost 15 years. As comptroller, she managed many aspects of SID’s financials — such as paying bills, managing payroll, and purchasing supplies for the company and clients — with oversight from Robert Smith, the company’s co-founder. Smith was responsible for monitoring the company’s finances. When he passed away in 2011, his financial responsibilities were added to Dosh’s workload, which meant she handled every aspect of the company’s finances with no oversight. She continued in that role for the next few years until she unexpectedly resigned on Dec. 31, 2016.
Internal Audit Manager Heather Dittman was the sole internal auditor at SID and did not have the resources to provide a routine set of reviews aligned with a regular risk assessment. As part of her annual plan, Dittman performed a standard review of the accounts payable process. The audit program included sampling transactions, checking support, and ensuring appropriate authorizations. During her review in early 2017, she documented several unsupported and unexplained transactions.
During the validation process, Dittman interviewed several employees for supporting explanations and documents, but they were unaware of the expenses and could not retrieve the records. Having exceptions in the validation process was a typical event for Dittman, but a large number of unexplained exceptions was unusual — plus there was no supporting documentation.
Dittman reached out to Dosh, who insisted that the records must be misplaced and that she would find them and send them to Dittman. However, as days turned into weeks, Dosh did not send the records. Dittman sent numerous follow-up emails and voicemails, which went unanswered. After weeks of no response, Dittman went to the file room to search for the records, herself, but the room was empty.
Unable to obtain answers from Dosh and concerned about missing records, Dittman escalated her concerns to the CEO and chief financial officer and recommended a forensic review. Given Dosh’s control of the financial processes, it appeared possible that she had defrauded the company and was now covering it up. Management was concerned about the extent of the fraud and the company’s ability to recoup the money. As a result, management agreed to a forensic review.
The forensic review began with traditional surveillance of Dosh to uncover the facts necessary to figure out the fraud. During lunch on the second day of surveillance, Dosh went to a local boutique. This piece let the investigators assemble the rest of the puzzle.
Dosh wanted to be an entrepreneur, but she lacked funding. When Smith died, another employee, Helen Brown, was granted a company credit card, and Dosh saw her chance. She had access to the new card’s information and knew nobody would be monitoring the credit card activity but her. Dosh then contacted Alexandra Johnson, an acquaintance who worked at a luxury clothing store nearby, and the two began a joint business venture. Dosh went to the store where Johnson worked, and they set up a store account using Brown’s company credit card. Johnson later quit her job at the boutique and got a job at another clothing store. There, she set up another account with Dosh using Brown’s credit card. Dosh also bought expensive jewelry and clothing from other boutiques on the card. She would pay off her purchases on the company card every month from SID’s checking accounts.
When forensic investigators recovered the contents of Dosh’s company computer hard drive, they found detailed plans for a boutique clothing and accessory business owned by Dosh and Johnson. Private investigators followed Dosh for weeks to locate where she was storing the fraudulent purchases. She also forged the signature of the second company co-founder on multiple fraudulent checks to purchase personal goods and services, including payments to family-owned businesses. Investigators went through years of company financial documents to find that she had embezzled more than $4 million from the company in just five years.
SID and the investigators turned the case over to federal law enforcement. Dosh pleaded guilty and is awaiting sentencing for charges related to identify theft and fraud. SID implemented several policies and procedures to prevent the company from getting defrauded again, including:
- Dispersing cash only after appropriate management authorization and only with dual approvals over certain threshold amounts to ensure company funds were being spent for approved business purposes.
- Reviewing all cash receipts and disbursements as part of a monthly bank reconciliation.
- Separating financial duties so no one person would handle all of the responsibilities.
- Backing up all financial transaction source documents to multiple locations so the documents would not be lost if any one location was compromised.
- Developing a risk assessment program to allow internal audit to review, assess, and identify weaknesses in the internal controls and point out areas of high risk concerning fraud.
SID realized that internal controls do not have to be an impediment that slows down work processes. While there is no such thing as a one-size-fits-all system of internal controls, getting the focus of their internal controls right helped safeguard and develop their business.
- No company is immune to fraud. Internal audit needs to help the organization prevent and minimize fraud risks. Small companies that are reluctant to invest the money to provide more internal audit coverage should consider the return on investment in comparison to a $4 million embezzlement. It is imperative for companies to set up internal policies and procedures that separate duties, promote accurate documentation, and systematically evaluate and counter all potential risk.
- Internal audit should perform a fraud risk assessment to help leadership in small companies understand the extent of their vulnerability to fraud. Significant procedural or segregation of duties gaps can be identified during the process without requiring substantial investment in audit resources. Many of the control weaknesses in this case would have been uncovered during the assessment process.
- Internal auditors should include a fraud risk assessment as a standard for their work plans. It applies to every company and is the most compelling method of educating management about fraud vulnerabilities. The act of communicating this tool throughout management is sometimes enough to prevent fraud.
- Internal audit needs to know when to involve a forensic investigator. Forensic experts can provide different tools, such as recovering erased hard drives and surveillance, and will preserve the chain of evidence in a fraud case.