Print this issue Send us your comments

Most of us have read horror stories about other lawyers who were shocked to discover that long-term, trusted employees — or even the managing partner of their firm — had misappropriated thousands of dollars. These illegal acts can occur for a number of years and can cost law firms hundreds of thousands of dollars.

What motivates employees to commit fraud? In most instances, employees who commit fraud or theft do not set out with the intention of doing so. They may find themselves in an environment where they identify "holes in the system" or areas of weak internal controls and cannot resist the temptation to take advantage of the situation.

Some employees may be facing financial difficulties or desire to lead lifestyles they cannot sustain on their current salaries. Thus, they "borrow" firm funds with every intention of replacing them. No firm, large or small, is exempt from the danger of embezzlement or fraud. A way of avoiding or closing the gap is by instituting internal controls into the firm's culture.

Years ago, evaluating internal controls focused mainly on the segregation of duties. Managers thought that if procedures were divided and performed by a number of different people, it was unlikely that a theft could be committed. Today, evaluation of internal controls has a much broader approach that was shaped by the enactment of the Foreign Corrupt Practices Act of 1977.

In 1985, an overwhelmingly large number of businesses failed because of fraud. In response, the U.S. government formed the Treadway Commission in 1987. The commission consisted of professionals representing the American Institute of Certified Public Accountants, the Institute of Management Accountants, the American Accounting Association, the Institute of Internal Auditors and the Financial Executives Institute.

The Treadway Commission formed the Committee of Sponsoring Organizations (COSO) as a special task force to identify and reduce fraudulent financial reporting. The task force determined that there were various definitions of internal control as well as different viewpoints on determining the effectiveness it had within an organization. COSO realized the importance of standardizing criteria for establishing and maintaining internal controls. The committee published a report that has become the basis for sound internal controls in many organizations.

In its report, COSO defines internal controls as "a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in categories relating to operations, financial reporting, and compliance with applicable laws and regulations."

In other words, management beliefs are the basis of the firm's culture. Management strategies set objectives for various aspects of the firm, such as operations, financial reporting and compliance. It is the combination of firm culture and strategies that will determine effectiveness and efficiency within the firm.

The COSO report points to five components in establishing successful control: (1) control of the environment; (2) risk assessment; (3) control of activities; (4) information and communications; and (5) monitoring.

CONTROLLING THE ENVIRONMENT

To evaluate your firm's internal controls, start with controlling the environment. A controlled environment sets the overall tone of an organization and influences the control consciousness of its people. When management displays highly ethical beliefs and behaviors, they will trickle down through the organization. The same holds true for unethical behavior. Unethical behavior by management will likely affect the attitude of others.

Once management has established the ethical level of the firm, guidelines for appropriate behavior must be clearly communicated. Communication should be done through codes of conduct and policy manuals that include acceptable business practices, expected standards, or ethical or moral behavior. This communication process will likely produce a cohesive work environment. A person who does not agree with the ethical standards will likely leave for an environment that better matches his or her own ethical standards.

In assessing a firm's culture, certain aspects should be considered that relate to a firm's objectives and individual goals. Are these goals and objectives realistic and attainable? Has the firm created an environment in which it is difficult to survive? (If this is the case, an employee may behave unethically in order to meet unrealistic firm objectives.) Is financial reporting an important process in the firm? If not, how is performance measured?

There are many considerations that need to be reviewed to understand a firm's culture. It is the controlled environment, otherwise known as firm culture, that sets the tone for the following four components.

RISK ASSESSMENT

Risk assessment is an organization's identification, analysis and management of risk relevant to internal control objectives. It is an overview to identify areas that impact on safeguarding the firm's assets. To assess risk, operations should be broken down into segments. Each segment must be examined to determine if there is any risk to the firm if that particular segment fails.

For example, there is a tremendous risk to a firm if the trust account is not maintained properly, whereas there may be little or no risk to the firm if the receptionist calls in sick. The risk assessment process means taking a step back and evaluating the entire operation on a step-by-step basis, and then determining whether the firm has any negative exposure.

If there is negative exposure, then the firm must determine at what level it is willing to accept that exposure. The willingness to accept risk associated with negative exposure will depend on the ethical standards set in the controlled environment.

Risk assessment is an ongoing process, especially in an organization going through a period of change. As the organization grows, either through increased revenue or a merger, risk assessment should identify these changing conditions. Necessary steps and actions need to be taken to manage those risks through development of new policies and procedures.

CONTROL OF ACTIVITIES

Controlling activities refers to the policies and procedures established to help ensure that management objectives are carried out. A policy instituting the firm's objectives should be established. Procedures should be designed in a way that will ensure the implementation of the policy. There are a variety of ways to control activities that should be considered. Some of them include:

• Review of billable hours and realization. Billable hours have always been used to measure an employee's performance. However, consideration must be given to the pressure that some attorneys may feel to meet their billable-hour goal. Many firms review billable hours without giving consideration to other significant issues. Excessive or minimal billable hours indicate different issues.
• When faced with excessive billable hours, firms should consider those hours for a particular employee related to the time he or she were present and examine the matter that caused these hours to be incurred. Lower billable hours should also raise a red flag when there is no logical reason for them, especially if the employee was working every day. Firms should also be alert for client bills indicating low billable hours but inflated expenses to cover the employee's personal expenses. Do the hours billed correspond with the number of hours the employee was present?
• Reviewing cash realization is another way to monitor billable hours. Many firms review the amount billed to a client and compare it to the amount collected, but rarely review and compare the amount of time spent to the cash collected. By monitoring realization, detection of unbilled hours becomes evident. A firm should gain an understanding of the reasons for unbilled hours and monitor future billable hours by partners and associates through this realization tool.
• Write-offs. In assessing risk, write-off procedures should be taken into consideration. A firm has the risk of losing revenue by allowing anyone to write off receivables. Write-offs should be authorized by the managing partner. Before the write-off is authorized, communication about issues surrounding the collection of the receivables must take place. Once the managing partner understands the issues, the write-off can be authorized. An authorization form, signed by the managing partner, should be submitted to accounting, leaving an audit trail.
• Rule by committee. Ruling through an executive committee rather than a single person allows for diversification. In addition, using a mix of junior and senior partners provides for different points of view on instituting internal controls. The junior partner is usually eager and understands the importance of overseeing internal controls, while the senior partner, who is more complacent about internal controls, brings seasoned experience to the mix. In the event there is a "bulldog," a partner who is overpowering and discourages people to challenge him or her on decisions or actions that seem inappropriate, it is prudent to involve a third party.

The executive committee should also — either by itself or through a subcommittee — review the managing partner. It is the managing partner who controls the ultimate decision-making process, so a review of his or her ethics and decisions should be part of the process of monitoring the firm's internal controls.

HUMAN RESOURCE ISSUES

• Vacation policy: Does the firm have employees who are so dedicated they never take a vacation? The firm may view those employees as indispensable, but may find out later that they were better off without them. Employees who refuse to take long vacations could be hiding something. They know their "house of cards" will fall if they are gone for a long period of time. A vacation policy, although viewed as a benefit, should be a mandatory policy.
• Background checks: Background checks should be part of the firm's hiring policy. In order to run a background check, an applicant must authorize the procedure. A candidate who allows a firm to perform a background check usually has nothing to hide.

  However, be aware that there are chronic offenders who know how to beat the system. Unfortunately, firms that have experienced theft or embezzlement do not always report the employee to the proper authority, leaving the employee the chance to do the same thing at another firm.

  After the hiring process is completed, gain an understanding of the employee's style of living. Does an employee show signs of living beyond his or her means? If so, it may be an indication that he or she is using the firm's funds to cover a high cost of living.

• Employee bonding: A firm should check with its insurance agent to see if it has coverage for dishonest employees. Also, it is important to check to see which employees are covered under the policy.
• Job description and evaluations: Written job descriptions are an absolute necessity for a number of reasons. A documented job description communicates to employees the responsibilities and expectations of their job and performance. Through risk assessment, the firm may review the proper segregation of duties.

By preparing written job descriptions, the firm's awareness of certain duties heightens. It allows for proper evaluation of personnel. Does the employee have the knowledge and skills necessary to perform the job adequately? Having the wrong person in the position will allow for the breakdown of certain procedures that may be critical to internal controls.

Hire a competent chief financial officer and auditors. Without continuing risk assessment as a firm grows, the firm will be unaware that it has outgrown its current staff. Although the staff may be dedicated and perform their job functions, there may be a need for additional management. Hiring a competent CFO may fulfill that need. A competent CFO should be able to oversee the procedures of internal controls, firm administration, and collection and monitoring of financial information.

Many firms hire independent certified public accountants to provide a report on their firm's financial condition. However, firms should be aware of the CPA's responsibility regarding financial reporting. The CPA is responsible for understanding the controls and detecting material misstatements only when performing an audit. The CPA is not responsible for reviewing internal controls in detail. This is a responsibility held by the firm's management. The firm can, however, engage a CPA to perform a detailed review and detect any systematic flaws that may appear.

OUTSIDE ASSISTANCE

• Hotline: Certain employees in the firm may be aware of fraud or embezzlement taking place but are uncomfortable about coming forward with that information. Setting up an anonymous hotline provides a way for employees to report any wrongdoing. The hotline could be a dedicated line with an answering machine to take messages, or an independent third party can receive calls.
• Counseling: On occasion, employees may find themselves in a situation that they do not know how to resolve. There may be a gambling, drug or alcohol problem that needs to be addressed. Having a confidential counselor may be of assistance.

  A counselor can be hired by the law firm to provide completely confidential counseling sessions to employees in need. This will provide employees the assistance they need to work through their problem before it adversely affects the firm.

• Written procedures. A firm should have written procedures for processing cash receipts and disbursements. Segregation of duties should be considered. Checks received should be restrictively endorsed and logged by the person opening the mail. The deposit slips should be prepared by another employee. A third employee should take the deposit to the bank. A fourth employee, independent of the receipt and deposit process, should apply the check to the proper client's account.
• For disbursement, an approved vendor list should be generated. Attorneys need to review the list to make sure there are no conflicts of interest with the vendors. A purchasing policy should be put into place that provides authorization to key management personnel. Invoices should be approved prior to processing the check. The check should be signed by someone not responsible for reconciling the bank account.
• Segregating functions is a way to ensure control. Unfortunately, it is not always an option with smaller firms. In situations where there are few employees, the best safeguard is to have the responsible partner open all bank statements.

  The bank account should not be reconciled until the managing partner has opened the statement and reviewed it. The review process should consist of scanning the statement for overdrafts or unauthorized wire transfers. Canceled checks should be reviewed to ensure they have the proper signatures and the appropriate endorsement.

• It is important for a law firm to maintain written ethical standards that explain what is considered unacceptable behavior. Employees should be required to sign a representation that they have read and understand the written ethical standards. For new hires, written ethical standards provide insight into the firm's culture at the onset of their careers there.
• Collusion. Collusion is the conscious decision of two or more people to commit fraud or embezzlement. Because of the involvement of more than one person, it is difficult to detect and is usually discovered through external monitoring.

INFORMATION AND COMMUNICATION

Information pertinent to management needs to be identified. A reliable information system should be designed that easily provides management with reports and other data on a regular basis. An audit trail should be part of the information system. The audit trail will provide documentation and records needed to support transactions and accounting of the firm.

Communication is key in this process. Management should communicate its requirements to appropriate personnel. Managers often become frustrated when they don't get reports that help them make the right decisions — usually because they never ask for the right information.

After information has been obtained and reviewed, management should communicate the results. An attorney may not be aware of a slippage in billable hours because it was not communicated. This seemingly simple process of communication doesn't always occur, thus producing ineffective controls.

MONITORING

Monitoring is a process that assesses the quality of an organization's internal control over time. It involves regularly assessing the design and operation of control and taking actions as necessary. Without proper monitoring, internal controls will fall by the wayside.

Monitoring should be done internally and externally. Internal monitoring includes reviewing financial information on a regular basis, as well as management and supervision of procedures. External monitoring can be provided by a third party. A third party, a client or vendor, may provide insight into something that is wrong.

For instance, there was a situation where a valued client had an outstanding invoice. The partner finally had the courage to discuss it with the client. During the discussion, it was discovered that the client had indeed paid the invoice. An investigation concluded that a trusted employee had stolen the check and deposited it into an account of which the firm was not aware.

All law firms, regardless of size, need to review their internal controls. An internal control review should not be viewed as a process that is done once, never to be done again. It is an ongoing process and especially important for growing firms that are continuing to grow.

Internal controls start with the firm culture and environment. Without an environment that projects adherence to ethical standards and firm policies, internal controls will not be effective, no matter how many procedures are put into place.