Subscribers to the Finance and Accounting PolicyPro database know the above to be true because numerous policies explain this. The employer in 2023 BCSC 892 (“BCSC 892”) would have done well to implement this classic internal control.
Segregation of duties divides responsibilities across as many persons as practicable for internal control purposes so that no one person can complete all or too many steps in a process. The goal of the division is to avoid allocating incompatible functions or functions that increase the risk of fraud or error if combined and assigned to a sole individual. Divide payroll tasks between several people to reduce the risk of fraud and errors.
In BCSC 892, an employee stole over $1.9M over 6 years between 2015 and 2021.
It was a classic payroll fraud. First, the fraudster selected past and current employees and changed the banking information for their direct deposits to one of her 19 bank accounts. Then, she created fictitious payments to the employees she selected. She then generated and uploaded the electronic banking text files to the employer’s bank, directing it to make the fraudulent payments. After processing the bogus payments, she sometimes deleted the banking information changes and reinstated the original banking information.
She did this 885 different times.
For every classic payroll fraud, there is a classic internal control to prevent or mitigate the fraud. In this case, segregation of duties might have prevented the fraud or reduced the likelihood or severity of the fraud. The fraudster should not have had access to both payroll processing and the payroll master files containing banking information.
Even very small organizations can implement segregation of duties so that the accounting person who processes payroll cannot access the payroll master files. For instance, someone from human resources (HR) could be responsible for payroll master file changes. That person would only make changes if they got proper documentation duly authorized by department heads or the affected employee. For instance, past employees would not be reinstated without properly approved new hire or reemployment forms. The person processing payroll would also receive a copy of documentation that confirms the master file changes that HR made.
The fraud in this case occurred because one person had access to manipulate master files to carry out and conceal her fraud. Additionally, as a supervisor, the fraudster should not have been processing payroll. Her role would have been more appropriately limited to supervision and review functions.
A further segregation of duties could have applied to the transmission of the banking text file. Someone other than the person who processes payroll should review the related supporting documents and the banking file and transmit the file to the bank.
While we cannot determine the employer’s entire control environment from the limited facts in the court judgement, other internal controls may have revealed the fraud sooner. Other controls include a review of payroll variances. Review both variances in the dollar value of payroll and the number of employees paid. Make comparisons from one payroll to the next and to budgeted numbers on a department-by-department basis.
Capture audit trails of all changes to payroll master files, even if the changes are temporary, as in this case. In a case like this, a review of the audit trail for payroll master file changes could have revealed anomalous patterns (for example, the change and immediate change back of banking information), given the 885 data points available. Review banking information reports to see if bank accounts are reused for multiple employees. One or more of the 19 bank accounts were possibly associated with multiple employees, which is another anomaly.
The judge in BCSC 892 said the employee used her knowledge of the computerized payroll system to systemically defraud the employer. The flip side is that the employee used the employer’s lack of segregation of duties and other internal controls to her advantage.
Admittedly, collusion between employees, for example, between the employee updating the master file and the one processing payroll, could defeat segregation of duties. But at minimum, segregation of duties is an additional hurdle that the fraudsters would need to overcome. Furthermore, there should be other controls, including some of those described above, to supplement and reinforce segregation of duties.
Segregation of duties as described above applies to other financial statement components. For accounts payable, for example, a basic control is to separate the responsibilities for master file updating from payment processing. See, for instance, Segregation of duties and accounts payable and Not-for-profits and internal controls.
An upcoming post will examine a few other aspects of internal controls that the scenario in BCSC 892 evokes or engages directly. See if you can spot at least two.
The judge in BCSC 892 found it appropriate to apply punitive damages of $100,000 because the employee’s actions were deliberate, protracted, and serious and caused significant loss. He opined that punitive damages were necessary to denounce the employee’s conduct and deter others. Too little too late for this employer. It is out $1.9M that it may not recover fully or at all. And it had to ensure the time, expense, and intangible cost of a legal proceeding. Know what’s a strong deterrent? Solid internal controls like segregation of duties.
Meeting your duty of care
Segregate duties to improve internal controls. Limit access to master files. Ensure effective reviews of audit trails and other payroll records. See Chapter 4 – Payroll and Chapter 6 – Internal Controls in Volumes I and II respectively, in the Policy Pro Finance and Accounting database. In addition, review SPP FN 2.16 – Vendor Master Files and SPP FN 5.11 – Electronic Funds Transfer.
Policies and procedures are essential, but the work required to create and maintain them can seem daunting. The Finance and Accounting, Operations and Marketing, Not-for-Profit, and Information Technology databases in PolicyPro, co-marketed by First Reference and Chartered Professional Accountants Canada (CPA Canada), contain sample policies, procedures, checklists and other tools, plus authoritative commentary to save you time and effort in establishing and updating your internal controls and policies. Not a subscriber? Request free 30–day trials of Finance and Accounting, Not-for-Profit, Operations and Marketing, and Information Technology databases in PolicyPro here.