The treasurer of one of the largest oil companies in the United States recently learned the internal controls over the initiation of wire transfers were alarmingly loose. Every free-form wire required the approval of the assistant treasurer, but in most instances that individual had no reasonable grounds for challenging the wires, and therefore he provided blanket approvals. Another safeguard on wires — the use of “repetitive wires” — was similarly diluted because one of the repetitives permitted the foreign controller to also act as an authorized approver. The foreign controller could approve wires from the corporate account to his personal account. Although these loopholes never resulted in a significant loss for the oil company, the same was not true at Société Générale. Shares of the Paris-based bank fell by almost a third in early 2008 on news that an arbitrage trader made €4.9 billion (US $6.9 billion) in unauthorized investments in the futures markets, using extensive knowledge gained from previous back-office work to circumvent or override internal control procedures and exceed his limited authority.
All organizations that manage large stores of cash run a similar risk — that with one bad investment or one careless wire transfer, a treasurer can burn through company assets that have taken years to accumulate. These organizations are unlikely to recover money lost through a bad investment or a wire transfer to an unethical or unreachable party. This potential loss increases the importance of preventing both mistakes and fraud.
Although outright fraud is rare in corporate treasury departments, organizations face risks when the movement of cash is not monitored adequately. Internal auditors can shore up controls for the most risky core treasury functions — cash management, short-term investments, and accounting for cash — to help prevent corporate cash from being placed at risk.
In the eyes of many internal auditors, the treasury function is mysterious due to the complexity of instruments treasurers manipulate on a daily basis. Treasury departments manage their organization’s most fragile, fungible asset — cash — and may have access to almost everything the organization is worth. In addition, treasurers serve many managers, are dependent on multiple financial institutions, and often work with manual processes that increase the risk of error and fraud (see “How to Organize an Internal Audit for Treasury,” below).
As the corporate “bank,” a treasurer regulates an organization’s lifeblood, money, as it comes in and goes out. On their organization’s behalf, treasurers assume debt, make investments, manage risk and daily cash balances, and initiate electronic transfers. They also manage banking relationships, which can be numerous. Each time an organization grows through geographic expansion or acquisition, other accounts might be added or inherited. Over time, organizations tend to accumulate banking relationships that need to be weeded out by the treasurer (see “Auditing Banking Relationships,” at end of article)
The challenge for internal auditors is to determine whether the controls in the treasury department are stringent enough. Experience has proved that controls over lines of authority, communication, investment strategy parameters, and segregation of duties are the most prone to breakdown in the treasury department. Internal auditors can drill into each of these areas and determine whether adequate controls are in place by asking pointed questions, such as:
In some organizations, the people who are authorized to approve payments number in the hundreds.
One U.S. credit card issuer empowered more than 200 employees to instruct the treasury department to effect wire instructions. In this company, the treasury department did not have copies of the employees’ specimen signatures, and the list of authorized individuals was rarely updated to reflect staff departures.
Internal auditors are responsible for ensuring controls are in place when electronic transfers and payments are initiated. At a minimum, auditors should:
ADHERING TO CORPORATE INVESTMENT STRATEGY
Through the course of business, organizations have excess cash that should be invested in overnight instruments or other acceptable forms of investment as set out in a corporate investment strategy.
Internal auditors can ask for the company’s investment policy, which should clearly define acceptable types of investments and establish how often management is expected to review the investment portfolio to detect exceptions to the policy. Companies with a large investment portfolio should also have a good investment tracking system.
Auditors can use the investment policy to determine whether the treasury division is honoring guidelines to stay within the organization’s risk parameters. If a corporate guideline dictates that no more than 10 percent of the treasury portfolio be invested with any single company, then any purchase of commercial paper that will cause the total position in an issuer’s paper to exceed 10 percent should raise a red flag. Other common guidelines limit the maturity on instruments to a set time frame, such as no more than five years, or to instruments that carry a certain rating, such as an “A rating” or better.
Internal auditors should ensure that adherence to these guidelines is checked at least monthly by an individual who is not making the investments. These rules are intended to limit the types of investments that treasury personnel can transact. If investments turn sour, then investment losses might be limited.
Writing a sound investment policy is no small task. In a recent review of the policy of a corporate treasury group for a U.S. technology company, auditors discovered ambiguity in the policy’s intended message. The policy was unclear about what the investment manager is expected to do when an investment purchased in accord with the policy sours because the issuer’s credit rating falls below an acceptable level. Should the investment be sold immediately or allowed to ride to its maturity? It also delegated unlimited authority to the treasurer to set separate investment guidelines for subsidiaries in emerging economies. Furthermore, the policy was vague about what reports on investment performance the senior executives should receive periodically. Best efforts should be made to clearly define corporate policy in gray areas or, at a minimum, to require regular review by an independent senior corporate executive or committee.
One of the greatest control-related temptations for any organization is to allow the treasury department to prepare entries to the general ledger for treasury transactions. This temptation is particularly acute for hedge transactions because the financial calculations required can be enormously complex. The simple rule is to create a wall between the treasury and accounting departments as a natural checkpoint for treasury transactions. The more automated the interface between treasury transactions and the accounting department’s general ledger, the greater the control over human error and fraud.
For most middle-market firms, however, the interface between treasury and accounting is manual. In this case, the people who created the initial transaction should not be in a position to reconcile what is being entered into the general ledger. For example, the person who calls the bank to initiate a wire transfer should not be the same individual who reconciles the transaction in the general ledger.
In one recent instance at a multi-billion-dollar U.S. company, a manager who oversaw the external investment managers and could initiate wires was responsible for receiving and editing investment information from the custodian before submitting the data to the accounting department for the purpose of updating the general ledger. The same individual ultimately reconciled the general ledger entries with the custodians’ reports. Thus, one individual could set up a bogus investment manager to transfer money to and then hide embezzled funds with creative accounting — a perfect storm scenario in terms of unsegregated duties.
Segregating reconciliation duties can be difficult, especially when the complexity of treasury activities exceeds the experience and training of accounting personnel. If treasury is doing a derivative or interest-rate swap, accounting staff might not understand how to account for the transaction and could lean on the treasury personnel for guidance. This situation happens at even the largest companies and among very knowledgeable people. When it is discovered, the internal auditor is obligated to remind management that the accounting staff needs to become familiar with these transactions and learn how to check them for accuracy and compliance with corporate guidelines.
To the extent possible, internal auditors should verify that different individuals:
Auditing Banking Relationships
Bank relationship management is a core function of the treasury division. By asking treasury officials how many bank accounts they manage, what are the accounts’ purposes, and what accounts are tied together as zero balance or sweep accounts, internal auditors can determine whether the treasurer has eliminated all but the absolutely essential bank accounts. These are two distinct types of accounts. A zero balance account (ZBA) automatically moves funds from one demand deposit account (the ZBA) to another demand deposit account (a master account), neither of which is an interest-bearing account. In contrast, a sweep account automatically moves funds from a demand deposit account to an investment account or instrument that pays interest.
Having the fewest accounts feasible reduces administrative costs, improves return on cash, and minimizes opportunities for errors or fraud. The remaining accounts should be structured such that the funds move automatically to a master account, a feature of zero balance accounts that eliminates the need to manage several pockets of cash.
Ultimately, the decision whether to open another bank account must be based on a careful weighing of convenience versus risk. Bank accounts have a tendency to proliferate because additional accounts make the business easier to administer for the employees, but invariably they add an element of risk because each account provides one more avenue for error or fraud.
I welcome your comments and suggestions.
Jonathan T. Marks, CPA, CFE
- Who directs corporate cash flow
- Are the most secure methods being used to communicate with treasury officials about moving money?
- Are treasury officials complying with the organization’s short-term investment strategy?
- Are treasury transaction and accounting reconciliation duties segregated?
- Review the treasury list of people with the authority to initiate wire transfers, along with the dollar limits each individual may approve.
- Cross-reference the list with the electronic transactions report to make sure only authorized individuals are gaining access to company coffers.
- Ensure current specimen signatures for authorized individuals are on file.
- A specific password for each user, never shared with another user.
- Limits on each user’s authority. For example, the same person should not be able to enter wire instructions and approve wires. This process should require the participation of two separate individuals for a free-form wire.
- Limits on the dollar amount per wire and/or per day that a user can initiate or approve.
- Periodic and required changes to passwords.
- Segregation of duties so that the systems administrator cannot be a user of the system.
- Effect a wire transfer or investment.
- Book the wire transfer or investment to the general ledger.
- Reconcile general ledger entries against the data from the banks.