Dave Cain: Welcome to unsuitable on Rea Radio, the award-winning financial services and business advisory podcast that challenges your old-school business practices and the traditional business-suit culture. Our guests are industry professionals and experts who will challenge you to think beyond the suit and tie while offering you meaningful modern solutions to help enhance your company’s growth. I’m your host, Dave Cain.
Is your company at risk? Would you know if it was? If an issue did arise, would the internal control procedures you have in place be enough to identify and fix the issue, or would you be left scratching your head, unsure of how to proceed? Have no fear, Zac Morris, a Principal and Director of Rea’s Government Services Team is here to talk about internal controls. Zac is going to talk to us about why something as simple as implementing internal controls can save business owners a lot of sleepless nights and maybe even the business itself. Welcome to unsuitable, Zac.
Zac Morris: Thanks for having me, Dave.
Dave: And this is your first time on the show. And we always like first-time visitors. Before we get into the topic of internal control, I was looking at your bio, and your leadership presentation and involvement in the community is second to none. I congratulate you on your leadership positions in your community.
Zac: Thank you.
Dave: And also within Rea & Associates. Job well done.
Zac: Thank you.
Dave: Whether it’s treasurer of this, sports activities, you name it, you’re involved.
Zac: I try to stay involved. Try to live the Rea way.
Dave: And you do. And certainly as you look at your bio on the Rea net, I certainly see that your heavily involved with family activities. So you have a great work/life balance and work through some family activities as well.
Zac: We try.
Dave: I do want to talk to you a little bit about your family and things you do around the house. I understand you’re relatively domesticated around the house. I understand you’re pretty good at changing diapers… pretty good.
Zac: I’ve been known to change a few. My wife will probably say it’s not enough. I try to pull my weight.
Dave: What kind of house work do you help with around the house? Do you run the vacuum cleaner? Do windows? How do you help out?
Zac: It depends on the day really and the task at hand. Sometimes I’m voluntold to do different things around the house and I try to comply just like I do at work.
Dave: Are you in charge of cleaning the bathrooms at home?
Zac: Occasionally, yeah.
Dave: So you do it all.
Zac: Sometimes. But I don’t want this to be aired. Because if this happens, my wife is going to expect more from this. I’m probably inflating my contribution to the household a little bit. So thanks for that.
Dave: You’re in charge of grilling I suspect.
Zac: Yeah. Now that I can do. That I can do.
Dave: Anyway, we want to talk about internal control. It’s hot and heavy these days. And certainly where you’re involved in government entities, you’re always looking at internal controls. Let’s start with, as we talked a few minutes ago, about some stories you had about weaknesses in internal control or maybe some theft stories. Can you share a few?
Zac: I think there’s one large theft that comes to mind that maybe some of the listeners will have heard. A lady by the name of Rita Crundwell in Dixon, Illinois, over the course of a number of years, stole about $53 million from her employer, which was the city of Dixon. She was the comptroller there. To think about the size of the theft, when you’re looking at a city with an annual budget of about $10 million. So over a number of years, she was able to steal $53 million. And really some of the things that we’ll end up talking about today could have potentially prevented that, or I won’t say prevent, but maybe could have stopped it sooner and avoided reaching that point.
Dave: And that’s a good example. And that’s a large organization, a larger organization. Think about some of the smaller organizations. Whether you’re a government entity, not-for-profit entity, or a for-profit entity.
Zac: And that’s a great point. Because you look at the size of the organization and sometimes some of the smaller, closely-held businesses I could see having some more of an issue in the internal control arena just because of the lack of people that they have. And you have people wearing multiple hats. There might not be appropriate segregation of duties. There might not be proper training for the people that are carrying on those functions. And some of that could lead to error or could be fraud.
Dave: How do you create an appropriate environment of internal controls? That’s a high-level discussion, not a very popular discussion. But it needs to be had. And how do you create that environment?
Zac: It really is a … It starts with the tone at the top. You hear that phrase a lot, especially when it pertains to internal controls. And you’re looking for leaders, department managers, various people within the organization who will set that tone and really hold people in the organization accountable for their duties and following policies and whatever might be appropriate for that organization.
Dave: The tone at the top, and we hear that a lot, but if the tone at the top, if they’re not paying attention to internal controls or bypassing internal controls, then the organization is wide open.
Zac: And if you look at many frauds, many of those happen just based on the fact that there is opportunity to take or steal or not safeguard an asset properly or to misappropriate, however it may be, just based on the fact that nobody is looking.
Dave: Right. And again, the example you used was a government entity, that was theft of taxpayer money.
Zac: Correct. Taxpayer dollars. Where within that organization itself, you were looking at firefighters being laid off because of budget cuts. You were looking at roads that couldn’t be fixed because they didn’t have the money to invest in the infrastructure, while this lady was investing in horses and farms and different things of that nature. She had a really nice RV I hear. And everybody assumed it was family money. There weren’t a lot of people that asked questions. Everybody trusted her. And that’s the first failure that you find in internal control is you trust.
Dave: You trust. How was that fraud exposed? Do you recall?
Zac: Really, it happened … She had taken some time off. And she was on vacation, and she had created some … She had opened a bank account under the city’s name with an out-of-state bank. And when you looked at how that was working, she created a reserve fund. And so she would put money in that reserve fund every month. And when she was on vacation, some of those bank statements come in, and they didn’t look right. And one of the other people in the department took them to the mayor. And then they started investigating. And that’s really how-
Dave: It just didn’t smell right. Didn’t look right.
Zac: It just didn’t smell right.
Dave: So you used the word trust. Certainly trust is part of internal control, but it can’t be the only piece.
Zac: Oh, absolutely not. It’s really your first line of defense is you want to respect everyone, trust no one, especially if it comes to your money as a business owner or if you’re trying to protect donations to an organization from an individual, or if they’re public tax dollars. So you want to trust the people you work with, but you have to make sure that you have appropriate lines in place for them to not only safeguard that money, but then to protect the people who are handling that money as well.
Dave: As the director of Rea’s Government Services Team, just give me a feel, how many audits would you and your team oversee in a year?
Zac: From an audit opinion perspective, we issue probably 150 audit opinions at a minimum on an annual basis.
Dave: That’s a pretty significant amount of audit reports and audit tests and internal control systems. There aren’t two that are the same, are there?
Zac: Not really. It’s all … You have the framework to where it’s all built from. But from each organization, it really boils down to what works best for them and how they have developed procedures to safeguard their processes and to follow their policies.
Dave: Again, what we’re talking about here are situations that regard … Like you said earlier, it doesn’t matter whether it’s a school district, a city, a county, a manufacturer, a retail, a booster club, all of the above are exposed.
Zac: It’s interesting because you look at … You named through all those types of organizations, and the ones that I would worry the most about if I were to do any type of review would be the booster clubs, would be the PTOs, and those organizations that have volunteers. When you look at a volunteer organization, a lot of times there isn’t structure and there aren’t processes to guide those people. And we talked again about opportunity. And so those people have outside pressures to take that money. Or if the opportunity presents itself, they might try it. And if they get away with it the first time, then it’s one of those things that they’re going to go back to the well again.
Dave: Sure. Let’s go back to something you started the podcast in. This is your grilling talents. Are you charcoal, or gas grill, smoker? Where are you at?
Zac: All of the above.
Dave: All of the above.
Zac: All of the above.
Dave: What’s your favorite thing to do in the smoker?
Zac: I’m a big fan of doing rib roast, prime rib.
Dave: How long do you leave that in the smoker?
Zac: You don’t rush it. You put the thermometer in, and when it hits a 132 degrees and you turn that heat up to give it a little bit of a crust, and when it hits a 135, you pull it off. It’s just one of those things. Don’t rush.
Dave: What’s your beverage of choice while that smoker is going on?
Zac: Probably an ice cold Keystone Light I would have to say.
Dave: I see you stepped up your game over the years.
Zac: It is what it is. I am a Holmes County guy, so I will always drink my Keystone Light.
Dave: And proud of it.
Zac: That’s right.
Dave: So as I’ve read some of your group’s white papers and heard you speak and your group speak, and not only at firm functions, but around the state of Ohio, you constantly use the term risk assessment. What is risk assessment?
Zac: Really from the risk assessment perspective, what you look at there is what type of activities that management might be performing to determine where areas of the business, they might be subject to error or fraud or where the safeguards might not be in place. I always like to use the example from a risk assessment perspective is any time you would have any department within any type of organization where there is cash exchanged, that would inherently be a higher risk than that where there might be a wire transfer.
Dave: So whether it’s cash, maybe gold bars, high risk.
Zac: Whatever it may be. Yeah, we probably have a lot of clients that we work with deal in gold bars. So I’d like to get involved in one of those.
Dave: Well, you’d be in the business long enough, you just might have an opportunity.
Zac: Hey, it is what it is. I just would love the opportunity.
Dave: So go back to this risk assessment. If you’re in an engagement, your team is in engagement, and it just doesn’t feel right, doesn’t smell right, there’s something bugging you, what’s the next step?
Zac: Sometimes those are the crucial conversations that we talk about and ways to have conversations with management or people in the department that might have some knowledge of the process really just to try to understand. And sometimes, there could be some things that might not smell right, but it could potentially be because you don’t have a proper understanding of the process. And so we try not to assume. But it’s interesting, as you start to interview some of these people, and that’s where the interview skills come into play. Because we have some folks that are very good at that skillset of interviewing. And you can see the sweat beads start to come onto people. Or they might just not have any emotion at all. And so depending on how the reaction is, you might go to their manager or something in that general direction, just really try to uncover what it is you’re looking at.
Dave: Okay. I’ve just engaged your team to perform a financial audit of my records. Can I expect you to find fraud?
Dave: Why not? I saw your fee structure. You’ve got to find fraud.
Zac: That sounds about-
Dave: You guys have been here for like three weeks. What are you looking at?
Zac: That sounds about right.
Dave: What are you looking at?
Zac: The audit process is not designed to detect fraud. If there were something that were to be discovered during the audit process, obviously we have the responsibility to communicate that. But when you’re looking at audit methodology and sampling processes, I would say the rate at which some frauds might be detected, and if you were looking at some of the fraud reports issued annually, many of those detections don’t come from the audit process. Most of them actually come from either someone in the organization or some other connection to those people providing tip or indicating they think there might be some type of wrongdoing.
Dave: I think a lot of our listeners would be surprised to hear that the typical audit is not designed to detect fraud. And I think a lot of times, people go out and hire auditors thinking they’re going to find fraud.
Zac: I think that would be a … Without an understanding of the audit process and the standards, that could be a misconception that is out there. The job of the audit is to determine that the financial statements are fairly presented. And so it’s looking at the processes around those statements and how that financial data rolls up into that financial statement.
Dave: But as part of the financial audit, you will … Or I guess will you review the internal control process?
Zac: Absolutely. Especially in the world that I live in specifically with government auditing standards is reviewing that and reporting on that internal control process. And in entities that receive federal dollars, it’s the internal controls over maintaining compliance with those grant agreements and contracts.
Dave: So as you go and you assess the internal controls, and you do find weaknesses, I think there’s a discussion, like you said, a crucial conversation with management that with weak internal controls, you’re wide open.
Zac: It is. Not only do you need to have those discussions, but then when you look at the audit process, you go back to that risk assessment. That creates risk. And because there is risk there, that there could be error. I hate to jump right to fraud, but error or fraud, then that changes how you address that appropriate area.
Dave: But that’s your training. That’s what you’re designed to do. That’s what it is.
Zac: That’s what we’re supposed to do.
Dave: We talked about creating the appropriate environment for internal controls and that’s the tone at the top. And certainly you enlightened us on risk assessment. Let’s talk about staff training and monitoring in the area of internal controls. Where do you start with training and staff training of internal controls?
Zac: I’m glad you bring that point up because it’s just like anything else. You can create the procedure, you can design the policy, you can hire good people, but if you don’t appropriately train them, hold them accountable, follow up, none of it’s really any good. So when you’re looking from that perspective in that staff training, it’s not something you want to do one time and then move on. It’s an ongoing like a pulse check on that process. And then you can also update that to make sure is the control that we’re doing, is it still appropriate. And so that ongoing monitoring process and communication with those employees, really it circles back then to creating that environment and letting those employees know how important that really is to the organization and to what they do for the organization.
Dave: So ongoing training. It’s just not one time.
Dave: It’s on and on and on.
Zac: So for it to be effective, you would need to do that.
Dave: Sure. If my organization, as an owner of a company, I wouldn’t know what internal control is. I thought, “Well gee, my accounting staff, they do the bank reconciliation. They make the adjustments, do the receivables. I never see anything out of the ordinary. But I really don’t know what the internal control … I believe in it. But I don’t know what’s going on.” Does your organization and your team, will you go in and study those internal controls and make recommendations back to me?
Zac: Absolutely. And these are the things that … The types of projects now that are, as you mentioned at the beginning of the session, talking a lot about the internal controls and being on the forefront of people’s minds based on news stories that hit the paper every day. It’s just like anything else. If somebody has great internal controls, you’re not going to see it in the paper or on the news. It’s always when something goes wrong and somebody takes something or they use something inappropriately. So that’s always people trying to protect, business owners trying to protect what they’ve built, governments trying to protect taxpayer dollars. Those are the type of projects that we started to engage in more frequently I would say in the last couple years.
And one of the things … It’s interesting because we actually just did one of these for an organization. And I’ll tell a short story. But we went in and we were interviewing the person in charge of the finances, and he had an assistant. And we were talking to him about what the assistant’s duties were. And we had found out that the assistant collects any cash. All the checks that are mailed into this assistant, she opens them. She posts everything to the ledgers. She prepares the deposits. She makes the deposits. And she does the bank reconciliations.
And it was just a casual conversation. And one of the staff said, “It would appear that you have a segregation of duty issue.” And the gentleman looked at him and said, “No, that’s what I pay her to do.” So really it starts with an understanding of where you’re exposed. And so that rolls back to that risk assessment again and just not seeing what could potentially go wrong there. And so those are the types of organizations that we can go into and see that process and hopefully provide some value to them.
Dave: You also talk, whenever we talk about internal controls, our minds immediately go to fraud. But also, internal controls are designed and should be in place to prohibit mistakes or catch mistakes in financial reporting.
Zac: And that’s a great point. Because you are right, immediately you turn to fraud. But we have these conversations, specific to the example I just gave, is you implement some type of segregation to that process so that you can not only protect the organization, but you’re also protecting that employee. And you can assist them to where if there is an error, then it may not be the first thing that you go to is, “Well, you took it.” And if you can add some steps into that to help safeguard not only the asset, but then to make sure that you’re providing the appropriate process and training for that employee, then you’re protecting them as well.
Dave: Right. Let’s go in the last few minutes we have, you used the term segregation of duties. I’m not sure exactly what that means. What does lack of segregation of duties mean?
Zac: Well, the lack of would mean you don’t have any segregation of duties.
Dave: Well, no kidding.
Dave: You’re an auditor with a personality. This is pretty good. A little humorous.
Zac: Yeah, there we go.
Dave: Get a picture of that face. Look how red that face is.
Zac: What you’re looking at is if you have a process … From a process start to finish, you obviously don’t want one person to have control of that entire process. If you can insert somebody else as an oversight or some type of monitoring of that process or it can alleviate that entire process by picking up a piece of it. And you create that segregation, so you don’t have one person responsible for that entire process, then that’s what we’re looking at.
Dave: Thanks. Good explanation. Our guest today has been Zac with Rea & Associates and Director of Rea’s Government Services Team, located in Millersburg, Ohio, Holmes County.
Zac: That’s right.
Dave: And if you’re up that way, stop in and see Zac. He’d love to see you. Thanks again for joining us on unsuitable today.
Zac: Thanks for having me.
Dave: It’s clear to see why establishing and maintaining internal controls is so important. Listeners, if you want to learn more about creating the appropriate environment of internal controls, risk assessment, or staff training and monitoring, let me know at podcast at Rea CPA. In the meantime, check out our website at reacpa.com for past episodes of the podcast, articles, video and more. And don’t forget to subscribe to unsuitable on iTunes or check out video from today’s episode on Rea’s YouTube channel. Thanks for listening. Until next time, I’m Dave encouraging you to loosen up your tie and think outside the box.
Disclaimer: The views expressed on unsuitable on Rea Radio are our own and do not necessarily reflect the views of Rea & Associates. The podcast is for informational and educational purposes only and is not intended to replace the professional advice you would receive elsewhere. Consult with a trusted advisor about your unique situation so they can expertly guide you to the best solution for your specific circumstance.