The treasurer of one of the largest oil companies in the United States recently learned the internal controls over the initiation of wire transfers were alarmingly loose. Every free-form wire required the approval of the assistant treasurer, but in most instances that individual had no reasonable grounds for challenging the wires, and therefore he provided blanket approvals. Another safeguard on wires — the use of “repetitive wires” — was similarly diluted because one of the repetitives permitted the foreign controller to also act as an authorized approver. The foreign controller could approve wires from the corporate account to his personal account. Although these loopholes never resulted in a significant loss for the oil company, the same was not true at Société Générale. Shares of the Paris-based bank fell by almost a third in early 2008 on news that an arbitrage trader made €4.9 billion (US $6.9 billion) in unauthorized investments in the futures markets, using extensive knowledge gained from previous back-office work to circumvent or override internal control procedures and exceed his limited authority. All organizations that manage large stores of cash run a similar risk — that with one bad investment or one careless wire transfer, a treasurer can burn through company assets that have taken years to accumulate. These organizations are unlikely to recover money lost through a bad investment or a wire transfer to an unethical or unreachable party. This potential loss increases the importance of preventing both mistakes and fraud. Although outright fraud is rare in corporate treasury departments, organizations face risks when the movement of cash is not monitored adequately. Internal auditors can shore up controls for the most risky core treasury functions — cash management, short-term investments, and accounting for cash — to help prevent corporate cash from being placed at risk. In the eyes of many internal auditors, the treasury function is mysterious due to the complexity of instruments treasurers manipulate on a daily basis. Treasury departments manage their organization’s most fragile, fungible asset — cash — and may have access to almost everything the organization is worth. In addition, treasurers serve many managers, are dependent on multiple financial institutions, and often work with manual processes that increase the risk of error and fraud (see “How to Organize an Internal Audit for Treasury,” below). As the corporate “bank,” a treasurer regulates an organization’s lifeblood, money, as it comes in and goes out. On their organization’s behalf, treasurers assume debt, make investments, manage risk and daily cash balances, and initiate electronic transfers. They also manage banking relationships, which can be numerous. Each time an organization grows through geographic expansion or acquisition, other accounts might be added or inherited. Over time, organizations tend to accumulate banking relationships that need to be weeded out by the treasurer (see “Auditing Banking Relationships,” at end of article) The challenge for internal auditors is to determine whether the controls in the treasury department are stringent enough. Experience has proved that controls over lines of authority, communication, investment strategy parameters, and segregation of duties are the most prone to breakdown in the treasury department. Internal auditors can drill into each of these areas and determine whether adequate controls are in place by asking pointed questions, such as:
- Who directs corporate cash flow
- Are the most secure methods being used to communicate with treasury officials about moving money?
- Are treasury officials complying with the organization’s short-term investment strategy?
- Are treasury transaction and accounting reconciliation duties segregated?
- Review the treasury list of people with the authority to initiate wire transfers, along with the dollar limits each individual may approve.
- Cross-reference the list with the electronic transactions report to make sure only authorized individuals are gaining access to company coffers.
- Ensure current specimen signatures for authorized individuals are on file.
- A specific password for each user, never shared with another user.
- Limits on each user’s authority. For example, the same person should not be able to enter wire instructions and approve wires. This process should require the participation of two separate individuals for a free-form wire.
- Limits on the dollar amount per wire and/or per day that a user can initiate or approve.
- Periodic and required changes to passwords.
- Segregation of duties so that the systems administrator cannot be a user of the system.
- Effect a wire transfer or investment.
- Book the wire transfer or investment to the general ledger.
- Reconcile general ledger entries against the data from the banks.
Note: Article appeared in IIA Magazine
Please follow and like us: