Professional Documents
Culture Documents
Keeping a tight rein on cash, and those who manage it, ensures that sufficient corporate funds are available when needed.
Jonathan Marks, CPA/CFF, CFE Partner In-Charge of Fraud & Ethics Crowe Horwath LLP
The treasurer of one of the largest oil companies in the United States recently learned that the controls over the initiation of wire transfers were alarmingly loose. Every free-form wire required the approval of the assistant treasurer, but in most instances that individual had no reasonable grounds for challenging the wires, and therefore he provided blanket approvals. Another safeguard on wires the use of "repetitive wires" was similarly diluted because one of the repetitives permitted the foreign controller to also act as an authorized approver. The foreign controller could approve wires from the corporate account to his personal account. Although these loopholes never resulted in a significant loss for the oil company, the same was not true at Socit Gnrale. Shares of the Paris-based bank fell by almost a third in early 2008 on news that an arbitrage trader made 4.9 billion (US $6.9 billion) in unauthorized investments in the futures markets, using extensive knowledge gained from previous back-office work to circumvent internal control procedures and exceed his limited authority.
All organizations that manage large stores of cash run a similar risk that with one bad investment or one careless wire transfer, a treasurer can burn through company assets that have taken years to accumulate. These organizations are unlikely to recover money lost through a bad investment or a wire transfer to an unethical or unreachable party. This potential loss increases the importance of preventing both mistakes and fraud. Although outright fraud is rare in corporate treasury departments, organizations face risks when the movement of cash is not monitored adequately. Internal auditors can shore up controls for the most risky core treasury functions cash management, short-term investments, and accounting for cash to help prevent corporate cash from being placed at risk.
DEMYSTIFYING TREASURY
In the eyes of many internal auditors, the treasury function is mysterious due to the complexity of instruments treasurers manipulate on a daily basis. Treasury departments manage their organization's most fragile, fungible asset cash and may have access to almost everything the organization is worth. In addition, treasurers serve many managers, are dependent on multiple financial institutions, and often work with manual processes that increase the risk of error and fraud (see "How to Organize an Internal Audit for Treasury," at right). As the corporate "bank," a treasurer regulates an organization's lifeblood, money, as it comes in and goes out. On their organization's behalf, treasurers assume debt, make investments, manage risk and daily cash balances, and initiate electronic transfers. They also manage banking relationships, which can be numerous. Each time an organization grows through geographic expansion or acquisition, other accounts might be added or inherited. Over time, organizations tend to accumulate banking relationships that need to be weeded out by the treasurer (see "Auditing Banking Relationships," at end of article).
The challenge for internal auditors is to determine whether the controls in the treasury department are stringent enough. Experience has proved that controls over lines of authority, communication, investment strategy parameters, and segregation of duties are the most prone to breakdown in the treasury department. Internal auditors can drill into each of these areas and determine whether adequate controls are in place by asking pointed questions, such as:
Who directs corporate cash flow? Are the most secure methods being used to communicate with treasury officials about moving money? Are treasury officials complying with the organization's short-term investment strategy? Are treasury transaction and accounting reconciliation duties segregated?
The individuals who staff the treasury function are typically trusted white-collar workers. But the opportunities for error or fraud in treasury are equal to those in other areas of the company in which internal auditors typically probe deeply.
DIRECTING TRANSFERS
Although the treasury staff is responsible for moving cash, directives to move that cash can come from many offices. Managers in different departments such as the payroll group, the tax department, and accounts payable, as well as select senior executives authorize disbursement of company cash. Only after receiving authorization from designated employees does a member of the treasury team communicate wire-transfer instructions to banks. Electronic payments are often made to repay debt, invest in special projects or acquisitions, and pay for corporate services, taxes, and contributions to retirement programs (see "Cash Management Wire Transfers," below).
In some organizations, the people who are authorized to approve payments number in the hundreds. One U.S. credit card issuer empowered more than 200 employees to instruct the treasury department to effect wire instructions. In this company, the treasury department did not have copies of the employees' specimen signatures, and the list of authorized individuals was rarely updated to reflect staff departures. Internal auditors are responsible for ensuring controls are in place when electronic transfers and payments are initiated. At a minimum, auditors should:
Review the treasury list of people with the authority to initiate wire transfers, along with the dollar limits each individual may approve. Cross-reference the list with the electronic transactions report to make sure only authorized individuals are gaining access to company coffers. Ensure current specimen signatures for authorized individuals are on file.
All organizations also should consider requiring dual signatures or approvals for all payments except repetitive wires, which are drawn from, and deposited to, a fixed set of bank accounts and have a separate set of controls entirely. In the case of the U.S. oil company where the foreign controller was empowered to approve the reimbursement of expenses for his staff and himself, a more secure system would ensure that the wire-transfer approver is never its beneficiary or that strict limits are placed on the size of such transfers. With repetitive wires, the original set-up is enormously important. If improperly designed, a repetitive set-up can be transformed from a risk control into a fraud facilitator. To minimize this outcome, some organizations refuse to pay any vendor with a wire transfer until the vendor's treasurer has identified the beneficiary account on letterhead paper.
Communicating wire-transfer instructions to a bank requires a separate set of security measures. At a foreign subsidiary of a $3 billion U.S.-based outsourcing company, the wire-transfer specialist casually stored in an unlocked drawer the password that allowed him to access the wire-transfer systems of the company's lead bank. The justification? If he was on vacation, he knew that another employee would need the code to execute wires. For all organizations that rely on banks to move corporate funds, treasury officials should have, at a minimum:
A specific password for each user, never shared with another user. Limits on each user's authority. For example, the same person should not be able to enter wire instructions and approve wires. This process should require the participation of two separate individuals for a free-form wire.
Limits on the dollar amount per wire and/or per day that a user can initiate or approve. Periodic and required changes to passwords. Segregation of duties so that the systems administrator cannot be a user of the system.
These simple rules are easy to understand and appreciate. But many treasury groups violate one or more of them.
Writing a sound investment policy is no small task. In a recent review of the policy of a corporate treasury group for a U.S. technology company, auditors discovered ambiguity in the policy's intended message. The policy was unclear about what the investment manager is expected to do when an investment purchased in accord with the policy sours because the issuer's credit rating falls below an acceptable level. Should the investment be sold immediately or allowed to ride to its maturity? It also delegated unlimited authority to the treasurer to set separate investment guidelines for subsidiaries in emerging economies. Furthermore, the policy was vague about what reports on investment performance the senior executives should receive periodically. Best efforts should be made to clearly define corporate policy in gray areas or, at a minimum, to require regular review by an independent senior corporate executive or committee.
SEGREGATING DUTIES
One of the greatest control-related temptations for any organization is to allow the treasury department to prepare entries to the general ledger for treasury transactions. This temptation is particularly acute for hedge transactions because the financial calculations required can be enormously complex. The simple rule is to create a wall between the treasury and accounting departments as a natural checkpoint for treasury transactions. The more automated the interface between treasury transactions and the accounting department's general ledger, the greater the control over human error and fraud. For most middle-market firms, however, the interface between treasury and accounting is manual. In this case, the people who created the initial transaction should not be in a position to reconcile what is being entered into the general ledger. For example, the person who calls the bank to initiate a wire transfer should not be the same individual who reconciles the transaction in the general ledger. In one recent instance at a multi-billion-dollar U.S. company, a manager who oversaw the external investment managers and could initiate wires was responsible for receiving and editing investment information from the custodian before submitting the data to the accounting department for the purpose of updating the general ledger. The same individual ultimately reconciled the general ledger entries with the custodians' reports. Thus, one individual could set up a bogus investment manager to transfer money to and then hide embezzled funds with creative accounting a perfect storm scenario in terms of unsegregated duties. Segregating reconciliation duties can be difficult, especially when the complexity of treasury activities exceeds the experience and training of accounting personnel. If treasury is doing a derivative or interest-rate swap, accounting staff might not understand how to account for the transaction and could lean on the treasury personnel for guidance. This situation happens at even the largest companies and among very knowledgeable people. When it is discovered, the internal auditor is obligated to remind management that the accounting staff needs to become familiar with these transactions and learn how to check them for accuracy and compliance with corporate guidelines.
To the extent possible, internal auditors should verify that different individuals:
Effect a wire transfer or investment. Book the wire transfer or investment to the general ledger. Reconcile general ledger entries against the data from the banks.
If all three activities cannot be segregated, internal auditors should at least ensure that one individual never performs more than two of them. The complexity of the treasury function is no excuse for diluting the segregation of execution, booking, and reconciliation.
Auditing Banking Relationships Bank relationship management is a core function of the treasury division. By asking treasury officials how many bank accounts they manage, what are the accounts' purposes, and what accounts are tied together as zero balance or sweep accounts, internal auditors can determine whether the treasurer has eliminated all but the absolutely essential bank accounts. These are two distinct types of accounts. A zero balance account (ZBA) automatically moves funds from one demand deposit account (the ZBA) to another demand deposit account (a master account), neither of which is an interest-bearing account. In contrast, a sweep account automatically moves funds from a demand deposit account to an investment account or instrument that pays interest. Having the fewest accounts feasible reduces administrative costs, improves return on cash, and minimizes opportunities for errors or fraud. The remaining accounts should be structured such that the funds move automatically to a master account, a feature of zero balance accounts that eliminates the need to manage several pockets of cash. Ultimately, the decision whether to open another bank account must be based on a careful weighing of convenience versus risk. Bank accounts have a tendency to proliferate because additional accounts make the business easier to administer for the employees, but invariably they add an element of risk because each account provides one more avenue for error or fraud.