Where Were the Internal Controls?

By: Nancy Church

“An accountant was arrested…..”

 I hate seeing those words in the newspaper, but there they were yesterday in The Oregonian.

Cynthia Rodriguez worked for the city of Cornelius, Oregon (population of a few thousand) until her resignation in August, 2012. What went wrong?

Cash Payments Pocketed, Records Changed
One of Rodriguez’s duties was accepting payments from residents who came in to settle their utility bills; some of them paid in cash.  She accepted all the payments, created receipts with copies for the city, and gave them to the customers. Sometimes, though, she kept the cash and voided the city’s copy of the receipt.

Consequently, the city had no record that the utility bills had been paid. Late notices were sent. Rodriguez anticipated this and, before the notices were mailed, she went into the computer system and changed the customers’ addresses to hers so she would receive the notices. Apparently, she paid the bills, including the $10 late fee. Then she marked the bills as ‘paid’ in the system.

She is accused of taking $3,700 in 25 instances, though she reportedly repaid everything she took.

City Lacked Sufficient Internal Controls
What was wrong with the city’s system of internal controls? Apparently, nobody independent of the cash receipt function was verifying the numerical sequence of receipts – or perhaps there was no numerical sequence that could be verified. Secondly, a person who could accept payments had rights in the system not only to mark bills ‘paid’ but to change customer addresses.

I think the city got off easily. Rodriguez apparently repaid everything she took; she could have done a lot more damage. Embezzlers who ‘borrow’ money usually don’t pay it back, and they gradually increase the amounts they take. Assuming, that is, that they are not discovered.

One Existing Internal Control Highlighted Problem

The investigation was started after the city noticed that $120 was missing from the Municipal Court till in May, 2012.

If the city lacked sufficient internal controls, how did they discover the discrepancy? There was one critical control in place – workers who did not accept payments from customers reconciled the tills daily. The accused Rodriguez was prevented from committing further crime.
Who Has Access to What? Segregating Duties is an Essential Internal Control

One of the primary controls we’re talking about here is segregation of duties. The role of accepting payments should be separate from the role of posting those payments to customer accounts. Access to the organization’s records and the rights to alter them should be granted with care as well.

Is it time to take a look at your procedures and your system of passwords? When I begin a new consulting engagement for a smaller client, I often find that two or three people are using the same QuickBooks log-in and that they all have unrestricted rights. I find that people perform incompatible duties. I have even found that people share bank account log-ins.

Convenience is usually the motivation for these unfortunate arrangements: it can be a lot of trouble to change bank signers or train new employees in responsibilities they haven’t carried out before.

Not doing the work leaves your organization vulnerable.  It can also leave employees who’ve done nothing wrong open to accusation because they had the opportunity to commit crimes. You owe it to your organization, yourself, and your co-workers to ensure that internal controls are in place to protect you all.