Read through any publication and you’ll likely find an article about some form of fraud. Luckily, certain frauds remain statistically rare; however, financial fraud and theft is becoming more common, and can happen anywhere. Law firms can be targeted just like any business, if not more so because of the perception of deep pockets. What can you do, then, to protect your firm from theft or fraud? The best deterrence against suffering significant losses from fraud is a strong internal control environment. The Association of Certified Fraud Examiners’ 2018 “Report to the Nations” notes the following1:
The report1 goes on to note that strong anti-fraud controls are shown to result in lower losses and quicker fraud detection. Recent news underlines the financial risk of poor anti-fraud controls. A former managing partner of a law firm was convicted in October 2018 of nearly two dozen counts of wire fraud, colluding with the firm’s controller to take over $20 million from the firm’s operating and client escrow accounts over several years. These thefts managed to go undetected for years through continued collusion between two trusted members of firm management, who incessantly lied to the firm’s shareholders and falsified financial records.
Examples like this can seem extreme, and it’s easy to think (or hope) that fraud won’t happen in your firm, until it does. There is no foolproof prevention mechanism, but a strong internal control environment is your best defense. Yes, it can be time consuming to incorporate a layer of controls around every transaction, but can you afford not to? The statistics and examples already mentioned reinforce Benjamin Franklin’s axiom that “an ounce of prevention is worth a pound of cure.”
Adding to the complexity is the constant advancement of technology and the evolution of fraud to find new ways to exploit it. For this reason, it is essential that today’s law firms continuously reevaluate internal controls to ensure they’re updated to combat contemporary threats and effectively safeguard assets. The good news is that relatively minor control implementations can go a long way in protecting your firm’s assets. Let’s analyze the specific transaction areas that are more commonly susceptible to fraud within law firms, which include:
The most commonly stolen asset in any organization, regardless of profession or practice area, is cash. In law firms, the theft of cash can occur in both the firm’s operating accounts as well as client escrow accounts. Proper segregation of duties related to handling and recording cash is crucial to preventing an employee from diverting cash received or outgoing checks and wires for their own benefit. Ideal segregation of duties begins with ensuring that separate individuals are responsible for receiving and depositing cash and recording cash receipts in the accounting records. An overlap in these responsibilities creates the potential for fraud, as the same individual could steal a check and sign it over to themselves without anyone noticing.
Additionally, it is important to have controls over the write-off of receivables, to prevent concealment of a theft of a client payment done via writing off the related client receivable. A required approval process for writing off client receivables or some form of routine monitoring of receivable balances can mitigate this risk.
Controls over cash payments are equally important to those over cash receipts. For example, separate individuals should be initiating and approving ACH and wire transactions, and there should be dual signature requirements for large check payments. Also, having an approval process for new vendors and maintaining a secured master vendor listing are important ways to allow for easy verification that cash payments are being sent to an approved party. The use of a detailed expense budget to monitor actual expenses versus expectations is also an effective tool in identifying any unusual or unexpected activity.
If nothing else, regular preparation and review of bank account reconciliations by someone independent of the core cash receipt and disbursement functions should be performed on a routine basis and reviewed by an individual separate from the preparer. This separate, independent review will help ensure that bank reconciliations are prepared accurately, and it should also help identify any unusual reconciling items that could be indicative of theft.
Client escrow accounts are not immune to fraud risks either. The obvious differentiator is that unlike firm operating accounts, escrow accounts represent client funds required by bar rules to be segregated from operating funds, and any misappropriation of funds presents a greater risk to the firm and to the responsible attorney than just theft, as disciplinary action from the bar association can result. Additional controls over client escrow accounts should be maintained to protect your firm from potential bar rule violations, such as documenting client approval for disbursements from escrow accounts. This will support the validity of the disbursements and mitigate any potential risk of perceived impropriety from clients or regulatory authorities.
Employee and client reimbursable expenses are another area of risk related to fraud. Due to the status of attorneys and partners within law firms, it can be uncomfortable for administrative personnel to push back on demands or challenge an attorney’s requests. However, by implementing a few general requirements surrounding expense claims that all attorneys must follow, firms can help prevent the risk of improper or fraudulent expense claims. Talk to your accounting personnel about attorneys that routinely submit a large volume of expenses or who create difficulties, and periodically review their expenses as well as a random selection of other expense reports. Secondary approval of attorney expenses for large or potentially questionable requests, such as by a partner that the attorney reports to, or by a concurring partner or executive management member for the expenses of partners, is also a good practice to keep people honest.
Also, accounting personnel should be encouraged to periodically ask questions such as how a vendor was selected, if there is a contract to compare the charges to, and can it be verified that the services or products have been provided. The simple process of occasionally asking these types of questions results in enhancing your control environment, as employees and partners are aware of the greater risk of detection if they were to consider attempting fraud.
Information technology (IT) equipment is a constantly evolving area of fraud risks. One of the inevitable byproducts of the rapid advancements in technology is the slow evolution of controls to adapt to these changes. It is common to purchase new IT equipment fairly frequently, whether for laptops or cell phones or other forms of mobile access to data. Controls around that equipment can seem straightforward, but don’t underestimate the ability for individuals to exploit a gap in controls.
Additionally, cyber threats are abundant. Review of access levels to your servers and intranet should be performed periodically and whenever turnover in personnel occurs. If you haven’t evaluated or updated your controls around access to your IT equipment recently, doing so every few years would be prudent.
The unfortunate reality is that the risk of fraud will never be completely eliminated, and as technology evolves, people will undoubtedly find new and more intricate ways to perpetrate fraud. For instance, a bank vice president recently commented on increased fraud from small online banking services where customer verification is lacking – permitting fraudsters to set up bank accounts similar to legitimate vendors, intercept vendor payment checks and deposit the payments into their new bank accounts without ever stepping foot in a bank.
The implementation of effective internal controls can go a long way in creating deterrents to protect your assets from theft. The foundation of your control environment sets the tone for employees within your firm. Even the perception of a control can be an effective deterrent. Designing and implementing a strong internal control environment can be done whether you have a large accounting department or just one or two accountants. If you’ve never fully evaluated your internal controls, doing so can save you a lot of stress and financial trouble should something bad happen. If you have previously evaluated your controls but it’s been a few years, it’s never too early to start thinking about the controls that might need to be strengthened or changed. You’ll be glad you did.
In a part 2 article, we will discuss the utilization of internal audit types of procedures to further evaluate fraud risks and increase your likelihood of detecting anomalies before potential losses grow.
For more information on this topic, or to learn how Baker Tilly professional services specialists can help, contact our team.
1Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse, Association of Certified Fraud Examiners, Inc.