The treasurer of one of the largest oil companies in the United States recently learned the internal controls over the initiation of wire transfers were alarmingly loose. Every free-form wire required the approval of the assistant treasurer, but in most instances that individual had no reasonable grounds for challenging the wires, and therefore he provided blanket approvals. Another safeguard on wires — the use of “repetitive wires” — was similarly diluted because one of the repetitives permitted the foreign controller to also act as an authorized approver. The foreign controller could approve wires from the corporate account to his personal account.
Although these loopholes never resulted in a significant loss for the oil company, the same was not true at Société Générale. Shares of the Paris-based bank fell by almost a third in early 2008 on news that an arbitrage trader made €4.9 billion (US $6.9 billion) in unauthorized investments in the futures markets, using extensive knowledge gained from previous back-office work to circumvent or override internal control procedures and exceed his limited authority.
All organizations that manage large stores of cash run a similar risk — that with one bad investment or one careless wire transfer, a treasurer can burn through company assets that have taken years to accumulate. These organizations are unlikely to recover money lost through a bad investment or a wire transfer to an unethical or unreachable party. This potential loss increases the importance of preventing both mistakes and fraud.
Although outright fraud is rare in corporate treasury departments, organizations face risks when the movement of cash is not monitored adequately. Internal auditors can shore up controls for the most risky core treasury functions — cash management, short-term investments, and accounting for cash — to help prevent corporate cash from being placed at risk.
In the eyes of many internal auditors, the treasury function is mysterious due to the complexity of instruments treasurers manipulate on a daily basis. Treasury departments manage their organization’s most fragile, fungible asset — cash — and may have access to almost everything the organization is worth. In addition, treasurers serve many managers, are dependent on multiple financial institutions, and often work with manual processes that increase the risk of error and fraud (see “How to Organize an Internal Audit for Treasury,” below).
As the corporate “bank,” a treasurer regulates an organization’s lifeblood, money, as it comes in and goes out. On their organization’s behalf, treasurers assume debt, make investments, manage risk and daily cash balances, and initiate electronic transfers. They also manage banking relationships, which can be numerous. Each time an organization grows through geographic expansion or acquisition, other accounts might be added or inherited. Over time, organizations tend to accumulate banking relationships that need to be weeded out by the treasurer (see “Auditing Banking Relationships,” at end of article)
The challenge for internal auditors is to determine whether the controls in the treasury department are stringent enough. Experience has proved that controls over lines of authority, communication, investment strategy parameters, and segregation of duties are the most prone to breakdown in the treasury department. Internal auditors can drill into each of these areas and determine whether adequate controls are in place by asking pointed questions, such as:
- Who directs corporate cash flow
- Are the most secure methods being used to communicate with treasury officials about moving money?
- Are treasury officials complying with the organization’s short-term investment strategy?
- Are treasury transaction and accounting reconciliation duties segregated?
The individuals who staff the treasury function are typically trusted white-collar workers. But the opportunities for error or fraud in treasury are equal to those in other areas of the company in which internal auditors typically probe deeply.
Although the treasury staff is responsible for moving cash, directives to move that cash can come from many offices. Managers in different departments — such as the payroll group, the tax department, and accounts payable, as well as select senior executives — authorize disbursement of company cash. Only after receiving authorization from designated employees does a member of the treasury team communicate wire-transfer instructions to banks. Electronic payments are often made to repay debt, invest in special projects or acquisitions, and pay for corporate services, taxes, and contributions to retirement programs (see “Cash Management — Wire Transfers,” below).
In some organizations, the people who are authorized to approve payments number in the hundreds.
One U.S. credit card issuer empowered more than 200 employees to instruct the treasury department to effect wire instructions. In this company, the treasury department did not have copies of the employees’ specimen signatures, and the list of authorized individuals was rarely updated to reflect staff departures.
Internal auditors are responsible for ensuring controls are in place when electronic transfers and payments are initiated. At a minimum, auditors should:
- Review the treasury list of people with the authority to initiate wire transfers, along with the dollar limits each individual may approve.
- Cross-reference the list with the electronic transactions report to make sure only authorized individuals are gaining access to company coffers.
- Ensure current specimen signatures for authorized individuals are on file.
All organizations also should consider requiring dual signatures or approvals for all payments except repetitive wires, which are drawn from, and deposited to, a fixed set of bank accounts and have a separate set of controls entirely. In the case of the U.S. oil company where the foreign controller was empowered to approve the reimbursement of expenses for his staff and himself, a more secure system would ensure that the wire-transfer approver is never its beneficiary or that strict limits are placed on the size of such transfers. With repetitive wires, the original set-up is enormously important. If improperly designed, a repetitive set-up can be transformed from a risk control into a fraud facilitator. To minimize this outcome, some organizations refuse to pay any vendor with a wire transfer until the vendor’s treasurer has identified the beneficiary account on letterhead paper.
MOVING MONEY SECURELY
Every organization that relies on wire transfers should closely control both how its treasurer can receive instructions from company officials to move money and how the treasurer then communicates those instructions to the banks that ultimately execute the transfers. Only the most secure communication methods should be allowed. Telephone and fax instructions are not secure for sending information and should not be permitted. At one global auto supplier, the cash manager regularly received wire-transfer instructions from senior executives via unsecured fax. She had no signature specimens. Even if she had them, she would not have been able to authenticate whether the signatures on the fax were original or copied.
The preferred methods of receiving transfer instructions are a secure signature system, signed document, or e-mail. A secure system allows authorized individuals to send payment approvals from their desks to the treasury department without actually signing for the transaction on hard-copy documents. When an organization has many authorized signors, investing in a secure signature system can be quite effective.
Communicating wire-transfer instructions to a bank requires a separate set of security measures. At a foreign subsidiary of a $3 billion U.S.-based outsourcing company, the wire-transfer specialist casually stored in an unlocked drawer the password that allowed him to access the wire-transfer systems of the company’s lead bank. The justification? If he was on vacation, he knew that another employee would need the code to execute wires.
For all organizations that rely on banks to move corporate funds, treasury officials should have, at a minimum:
- A specific password for each user, never shared with another user.
- Limits on each user’s authority. For example, the same person should not be able to enter wire instructions and approve wires. This process should require the participation of two separate individuals for a free-form wire.
- Limits on the dollar amount per wire and/or per day that a user can initiate or approve.
- Periodic and required changes to passwords.
- Segregation of duties so that the systems administrator cannot be a user of the system.
These simple rules are easy to understand and appreciate. But many treasury groups violate one or more of them.
ADHERING TO CORPORATE INVESTMENT STRATEGY
Through the course of business, organizations have excess cash that should be invested in overnight instruments or other acceptable forms of investment as set out in a corporate investment strategy.
Internal auditors can ask for the company’s investment policy, which should clearly define acceptable types of investments and establish how often management is expected to review the investment portfolio to detect exceptions to the policy. Companies with a large investment portfolio should also have a good investment tracking system.
Auditors can use the investment policy to determine whether the treasury division is honoring guidelines to stay within the organization’s risk parameters. If a corporate guideline dictates that no more than 10 percent of the treasury portfolio be invested with any single company, then any purchase of commercial paper that will cause the total position in an issuer’s paper to exceed 10 percent should raise a red flag. Other common guidelines limit the maturity on instruments to a set time frame, such as no more than five years, or to instruments that carry a certain rating, such as an “A rating” or better.
Internal auditors should ensure that adherence to these guidelines is checked at least monthly by an individual who is not making the investments. These rules are intended to limit the types of investments that treasury personnel can transact. If investments turn sour, then investment losses might be limited.
Writing a sound investment policy is no small task. In a recent review of the policy of a corporate treasury group for a U.S. technology company, auditors discovered ambiguity in the policy’s intended message. The policy was unclear about what the investment manager is expected to do when an investment purchased in accord with the policy sours because the issuer’s credit rating falls below an acceptable level. Should the investment be sold immediately or allowed to ride to its maturity? It also delegated unlimited authority to the treasurer to set separate investment guidelines for subsidiaries in emerging economies. Furthermore, the policy was vague about what reports on investment performance the senior executives should receive periodically. Best efforts should be made to clearly define corporate policy in gray areas or, at a minimum, to require regular review by an independent senior corporate executive or committee.
One of the greatest control-related temptations for any organization is to allow the treasury department to prepare entries to the general ledger for treasury transactions. This temptation is particularly acute for hedge transactions because the financial calculations required can be enormously complex. The simple rule is to create a wall between the treasury and accounting departments as a natural checkpoint for treasury transactions. The more automated the interface between treasury transactions and the accounting department’s general ledger, the greater the control over human error and fraud.
For most middle-market firms, however, the interface between treasury and accounting is manual. In this case, the people who created the initial transaction should not be in a position to reconcile what is being entered into the general ledger. For example, the person who calls the bank to initiate a wire transfer should not be the same individual who reconciles the transaction in the general ledger.
In one recent instance at a multi-billion-dollar U.S. company, a manager who oversaw the external investment managers and could initiate wires was responsible for receiving and editing investment information from the custodian before submitting the data to the accounting department for the purpose of updating the general ledger. The same individual ultimately reconciled the general ledger entries with the custodians’ reports. Thus, one individual could set up a bogus investment manager to transfer money to and then hide embezzled funds with creative accounting — a perfect storm scenario in terms of unsegregated duties.
Segregating reconciliation duties can be difficult, especially when the complexity of treasury activities exceeds the experience and training of accounting personnel. If treasury is doing a derivative or interest-rate swap, accounting staff might not understand how to account for the transaction and could lean on the treasury personnel for guidance. This situation happens at even the largest companies and among very knowledgeable people. When it is discovered, the internal auditor is obligated to remind management that the accounting staff needs to become familiar with these transactions and learn how to check them for accuracy and compliance with corporate guidelines.
To the extent possible, internal auditors should verify that different individuals:
- Effect a wire transfer or investment.
- Book the wire transfer or investment to the general ledger.
- Reconcile general ledger entries against the data from the banks.
If all three activities cannot be segregated, internal auditors should at least ensure that one individual never performs more than two of them. The complexity of the treasury function is no excuse for diluting the segregation of execution, booking, and reconciliation.
AUDIT WORK IS INDISPENSABLE
Even a good internal audit system depends on human intervention to succeed. Automated systems by themselves are not enough to keep the treasury function free of error and fraud. The work of internal audit is indispensable to keeping the treasury division in compliance and protected.
Organizations of all sizes can keep corporate cash from being raided, intentionally or unwittingly, with internal audit controls that better secure cash management, investment, and reconciliation processes. These tighter controls ensure that the cash the treasury manages is available for corporate growth.
Auditing Banking Relationships
Bank relationship management is a core function of the treasury division. By asking treasury officials how many bank accounts they manage, what are the accounts’ purposes, and what accounts are tied together as zero balance or sweep accounts, internal auditors can determine whether the treasurer has eliminated all but the absolutely essential bank accounts. These are two distinct types of accounts. A zero balance account (ZBA) automatically moves funds from one demand deposit account (the ZBA) to another demand deposit account (a master account), neither of which is an interest-bearing account. In contrast, a sweep account automatically moves funds from a demand deposit account to an investment account or instrument that pays interest.
Having the fewest accounts feasible reduces administrative costs, improves return on cash, and minimizes opportunities for errors or fraud. The remaining accounts should be structured such that the funds move automatically to a master account, a feature of zero balance accounts that eliminates the need to manage several pockets of cash.
Ultimately, the decision whether to open another bank account must be based on a careful weighing of convenience versus risk. Bank accounts have a tendency to proliferate because additional accounts make the business easier to administer for the employees, but invariably they add an element of risk because each account provides one more avenue for error or fraud.
I welcome your comments and suggestions.
Jonathan T. Marks, CPA, CFE