Internal Controls to Prevent Thefts from Internal Sources
Business losses due to employee thefts amount to billions of dollars every year. The most important strategy used to minimize such losses is a good system of internal controls. Internal controls do not prevent thefts; however, a good system will detect such threats on a timely basis.
Basically, an internal control system separates the various accounting functions among different employees. DMI has identified some common threats to Association assets and the internal controls used to minimize or eliminate the threat.
Site Manager – Initial hiring and ongoing employment.
Response: All Site Managers at their initial hiring are required to undergo drug testing, criminal and credit background checks. Subsequent to their employment, all Site Managers and association employees are required to undergo random drug testing; the date and time is determined by DMI’s Account Executive. In order to minimize the cost to the association, DMI has negotiated volume discounts with Clinical Laboratories of Hawaii.
Site Manager – Unauthorized withdrawals from the association’s cash accounts.
Response: The Site Manager has no signature authority over any association accounts. In addition, the Site Manager has no authority to withdraw or transfer association funds for payment to any entity. Bank statements are sent directly to DMI for reconciliation.
Site Manager – Use of Petty Cash Funds for personal expenses.
Response: All reimbursements to the petty cash fund must be supported with an invoice signed and approved by the Site Manager and affixed with an account code. The Account Executive will count the petty cash fund at least once a year and always upon the resignation or termination of the Site Manager.
Site Manager – Accepting kickbacks from contractors and vendors.
Response: Maui is a small island and most contractors and vendors are known to DMI. In addition, DMI mandates that licensed contractors, in good standing, be used whenever required by law. The use of licensed contractors is required in order to receive a reimbursement from the State contractors’ fund for shoddy workmanship. In addition, it protects the directors from liability and penalties from using unlicensed contractors. Further, on large jobs, DMI manages the bidding process through formal “requests for proposals” so that the bids are “apples to apples.” The results of the RFP are sent to the Board for final selection.
DMI – Unauthorized withdrawals from association accounts.
Response: DMI employs several strategies, as follows:
Account Executives have no authority to incur expenses on behalf of the association unless it is specifically authorized by the Board.
Account Executives have no signature authority over any association accounts.
Accountants are not allowed to reconcile the bank statements for their assigned association accounts. Another DMI accountant will reconcile the account.
DMI – Fraud through cash receipts.
Response: DMI uses a lockbox system for all maintenance fee and reserve assessments. In other words, all payments to the association are sent to a bank rather than to DMI. This payment information is electronically downloaded to DMI’s computers each day.
If an owner pays by cash or check at DMI’s office and the cash is stolen, the unit owner will likely notify DMI when they receive a delinquent notice that is computer generated. A receipt is always issued for cash or check payments. All checks received by DMI are electronically deposited
DMI – Unauthorized withdrawals from association accounts and wire transfers.
Response: Except for check requests by the Site Manager or a Director, all payments are made electronically. The process for initiating electronic payments is as follows:
Electronic Payments by Check
Generally, before a payment can be made it must the initiated by the Site Manager. The Site Manager scans and sends the approved invoice with the account code to SRS (DMI’s vendor for electronic payments). Certain contract items, utilities (i.e. electric, water/sewer, cable), and other fixed items are sent directly to SRS by the vendor. All authorized parties can access the SRS website to see the status of the bill.
SRS codes the invoices by association and vendor.
DMI’s Payables Manager ensures that the bill is correct by matching SRS’ information with the vendor and association name, checks to see if the vendor’s W9 form (name, address and federal ID) is on file, verifies that there are no duplicate invoices and the amount of the required payment matches the invoice.
There are currently only two persons in the office than can release payments. These persons are not assigned to any association accounts and serve only to do the final check before the payments are released.
Automated Clearing House and Wire Transfers
DMI’s accountant assigned to the association prepares a list of vendors for payment. The accountant cannot release payments. The list of vendors is forwarded to DMI’s authorized “Releaser” who has a physical token issued by the bank. The Releaser cannot initiate a payment request. In other words, the Releaser can only release the payments that have been initiated by another party.
The authorized Releaser must keypunch the ever changing information on the physical token at least two different times with different access codes before the approval for payment can be made.
The bank then initiates a physical phone call to the Releaser verifying that the authorized payment list is correct. This step makes it very difficult for an outside party to hack into the account and have funds wired from the association’s account to an unauthorized bank account.
The bank then sends an email confirmation notifying the Releaser that the funds have been released.
DMI – Other procedures to safeguard association assets.
The only authorized persons who can initiate payments or withdrawals from the association accounts are those that are not directly involved in the purchase of goods or services. The only authorized persons are designated persons at DMI and authorized Board members, i.e. President and/or Treasurer. These authorized persons are named on the signature card(s).
DMI will not waive any late fees without Board approval. Exceptions include confirmed owner’s death or serious illness, when the unit is in escrow pending a sale or for insignificant amounts where the cost of generating the delinquent notice, envelope and postage will exceed the balance due.
As recommended by the Financial Accounting Standards Board (FASB), that determines Generally Accepted Accounting Principles (GAAP), DMI prepares full accrual basis financial statements with detailed schedules. This is because cash basis statements lend themselves to manipulation.
DMI includes a Statement of Cash Flows in the financial statements. This is required by GAAP. The statement reconciles the association’s net income to the cash in the bank(s). It summarizes all sources of cash and all sources of disbursements categorized by the operations, financing and investment activities of the association, both on a monthly and year-to-date basis.
The limitations of an independent audit.
Most lay people assume that the auditor will discover embezzlement or fraud if it exists and that all is well if the auditor issues a “clean opinion.” In fact, most fraud cases are not discovered by a routine audit.
All auditors only test anywhere from 1% to 5% of the association’s transactions depending on the level of the association’s internal control. This is necessary in order to keep the cost of an audit at a reasonable level.
When an audit report is issued it should be noted that only the opinion letter is owned by the auditor; the financial statement themselves are the property of the association.
The auditor’s role is to determine that the financial statements (owned by the association) are prepared in compliance with the AICPA guidelines for Common Interest Realty Associations, that GAAP principles established by FASB are used, that there are no material errors in the financial statements and that the accounting principles used are consistently applied.
Internal control policies form only one part of a managing agent’s back office operations. DMI takes great pride in continuously improving its systems and procedures. With over 40 years’ experience and our CPA background we can confidently say that we have one of the best, if not the best, back office operations in the property management industry.