In 2009, LeBarge Inc., an oil rig company, was growing beyond the size of a typical small business. The owner and CEO, Lou Smith, decided to hire an accounting firm, which recommended that he add an internal auditor to the team to ensure his control environment kept up with the expanding needs of the business. Concerned about the cost of hiring a full-time person with salary and benefits, Smith decided to forgo the recommendation.
Each year for the next five years, the accounting firm again recommended that Smith hire an internal auditor. LeBarge continued to grow, but profits were shrinking. Smith could not understand why. Costs should be going up, but they were growing faster than revenues. The company’s chief financial officer (CFO) and Smith’s longtime friend, Jennifer Hagan, offered reports showing increased vendor costs and evidence of inflation. None of this made sense to Smith, as his intuition suggested profits should be up $200,000 annually. In 2014, Smith reluctantly agreed to hire veteran internal auditor Corey Ortiz.
Ortiz joined the company and quickly scoped out his first review of the highest risk area, the financial ledger, which was in QuickBooks. Ortiz prepared a standard audit program that focused on journal entry and reconciliation controls, system access rights, and segregation of duties. The program included walkthroughs of journal entries to evidence support and authority for the recording processes. Bank reconciliation testing was included to understand the process and follow transactions from the ledger to the reconciliation. The program included pulling and reviewing samples of journal entries and reconciliations to check for completeness, timeliness, support, and authorization. And finally, the plan included getting administrative access to QuickBooks through IT and viewing roles and rights within the system.
Companies that expand, whether large or small, are exposed to new risks. Controls designed for the business often stretch and break. In small companies, daily supervision and involvement by the owners often provides significant control value. Decreased supervision in a growing business causes normal control weaknesses, such as segregation of duties, to become glaring opportunities for waste or abuse.
Owners of small companies are not risk professionals. Growing companies are rarely prepared to identify and mitigate the expensive risks associated with their new success. Internal auditors are trained risk professionals and provide organizations with resources focused on identifying, preventing, and managing these risks.
Start with the ledger and work outward. Access controls and segregation of duties within the financial systems are the cause of many frauds. Trusting one person to manage the financial resources of any company is a dangerous strategy and should always be top of mind for any internal auditor and the first place to look.
Know the financial system’s logging and reporting features, as small systems sometimes don’t have robust controls. Reviewing reports on various changes, such as mailing addresses, employee name, and vendor name, can lead to early fraud detection.
Ortiz wanted to get off to a strong start and help the organization understand the internal audit process. He spent two weeks creating an audit program, scoping memos and other official communications. He communicated with his stakeholders in polite and professional emails, requesting samples and employee interviews.
The fieldwork began on the first day of week three. Samples were pulled and Ortiz started with the IT manager, who was prepared to show him around the QuickBooks program. At 11:00 a.m., Ortiz stopped the audit and contacted the CEO for an immediate meeting.
Ortiz explained to Smith that while reviewing the system administrative rights in QuickBooks, he found that the CFO, Hagan, was the only person with access to the system. This meant that she could create entries, make payments, and edit all data within the system with no checks and balances. It was not surprising to Ortiz that a small company with recent growth had such glaring segregation of duties issues within its ledger. However, a quick review of the system audit logs for the previous month showed numerous changes to payment fields, which is unusual in the normal course of business. He then checked the names of the vendors before they were changed in QuickBooks.
After the meeting with Smith, Ortiz spent the rest of the day working with the IT manager to identify vendor name changes that occurred over the past year. The next morning, Ortiz and Smith called a meeting with Hagan. Ortiz asked her to explain each vendor name change. Hagan was clearly uncomfortable, but offered an excuse about how the system has errors that need to be fixed sometimes.
Skeptical about the explanation, Ortiz started the next day by requesting a vendor spending report for the previous year. He then contacted each vendor and asked them to provide an updated billing summary for that time period. When Ortiz compared the reports, he found a $250,000 discrepancy for the past 12 months.
By the end of the day, Ortiz, Smith, and the human resources manager confronted Hagan with this information. For 15 minutes, she acted surprised and hurt at the accusation. Smith suspended Hagan without pay while the investigation continued. Law enforcement was notified the next day.
In 2017, Hagan was tried and convicted of embezzling more than $800,000. For five years, she used the company’s financial ledger as her personal checkbook to pay bills and purchase items. She would later change the vendor name in the payment information fields to a business-related vendor. By slowly increasing her theft as the business grew, she was able to convince management that the expenses were related to challenges associated with normal business growth.
Hagan pleaded guilty to a felony charge of aggregated theft. Before her plea agreement, she paid back half of the money she stole and agreed to pay the rest when her six-month jail sentence concluded. LeBarge has recovered its status of profitability.