Question

FOLEO FONES CASE STUDY – Chapter 9:

Assume you are the management accountant for the Foleo Group and Tracey Chen has asked you to assist her in assessing the organisation’s internal control environment before her meeting with Peter Singh next week.  Specifically, she asks you to look at the Finance Department that you manage.  Tracey provides you with her detailed observations of the Department’s current control environment below, and asks for your input.

Finance Department:

This Department presents the highest control risk for the Foleo Group, by far. The staff within the Finance Department collect data generated by the various departments and business units within the organisation, analyse it and then generate reports that are disseminated across the organisation.  Most, if not all of this data is transmitted electronically and it currently appears that all operational staff within this Department have access to the complete suite of information passing through their accounting system.  The only exception to this, are the existing, but inadequate access controls over the payroll data, however it seems that these can be easily overridden, as demonstrated to me by one of the Finance staff members upon request.  This unrestricted access to sensitive data has led to some serious motivational issues and at this point, it is unclear whether disgruntled employees have been able to take advantage of the Finance Department’s poor control over Foleo’s data.  

Another area of concern identified by the management accountant is the poorly restricted access to the reports generated by the Department.  These reports are distributed via email (and occasionally in printed form for specific meetings) to authorised recipients, however, there is a common practice across the organisation, it seems, of sharing passwords to access other individuals’ email accounts and information.  Whilst I am informed that this practice is in the interests of timely resolution to problems, rather than fraud, my concern is that it invites dysfunctional behaviour and represents a significant risk to Foleo’s information and assets.    

The operational staff of this department who process all transactional data are subject to a number of controls that I implemented on my arrival at the organisation some 20 years ago, in order to minimise the risk of errors and omissions in the reports they generate.  As they enter data, the accounting system has a number of inbuilt safeguards to ensure that the right type of information is being entered in the right place, in addition to requests for confirmation for entered information that is abnormally high or low for specific data types.  Unfortunately, these controls along with the procedures I put in place to ensure the authenticity of transactions are routinely overridden by both operational and management staff, which is somewhat concerning, considering that James and Leon appear to be the worst offenders.  As the management accountant discovered decades ago, James and Leon regularly authorise the payment of private expenses through the company bank account and access funds as and when they need cash without following the proper procedures.  This has resulted in their salaries being seriously understated and the existence of improper expenses in the company financial statements.  I believe this sends a poor message to the employees.

As already identified in my last report, this Department struggles to deliver the required reports at year-end and other peak times, despite utilising a range of techniques to minimise the processing time of the data.  These techniques have led to errors and shortcuts that have compromised the integrity of the resulting reports, upon which Managers have based important decisions.

The access to the bank account would appear to be less of a concern.  The management accountant has charged the senior accountant Phil Brown, a loyal Foleo employee of some 10 years, with the responsibility of preparing, authorising and effecting all cash payments (despite the existence of sufficient support staff to undertake these processes).  This responsibility extends to supplier, payroll, petty cash and all other miscellaneous payments.  Phil has walked me through the system he has in place that matches documentation from all components of the purchasing process, which is the prerequisite for any payment being authorised.  He has kept meticulous files and was able to produce the purchase order, proof of delivery and supplier invoice for any payment I selected for audit.  I did notice a couple of insignificant anomalies in the records, such as a supplier’s name also appearing in the customer list of names, as well as Phil’s signature appearing on a number of receiving reports for purchased goods (a role that would normally be undertaken by the warehouse staff that received the shipment).  These anomalies seemed odd to me at the time, but were quickly explained by Phil Brown.  This may require further investigation.

(a) Based on Tracey’s observations as well as the week’s readings and lecture materials, identify five (5) lapses in the H.O. Finance Department’s control environment and explain the risks that each present.                                                                                         

            (HINT:  Ensure you identify the controls that might be missing and explain the implications for the organisation of EACH missing control.)

b. Suggest a specific control that you might introduce to address each of the lapses identified in part (a) and classify each control suggestion as either preventive or detective in nature.   Explain your choice of classifications.

            (HINT:  Refer to the Garrison reading for information on these classifications.)

c. Select three (3) controls you have suggested in part (b), and describe how each will work towards achieving the overarching objectives of the Foleo organisation.                                                                                                                                            

     (HINT:  You may need to revisit the entire Foleo Case Study and/or the exercises you have completed so far to refresh your memory of the overarching objectives of the organisation.)

     (HINT:  Ensure you identify and explain the specific objective that each control will relate to.)

Answer 1

Risks:

1. Unrestricted access to sensitive data has led to some serious motivational issues and at this point, it is unclear whether disgruntled employees have been able to take advantage
2. Sharing passwords and poorly restricted access to reports of the department to unauthorized recipients. It can lead to fraud as one person has access to other's accounts. It also puts threats upon the leaking of confidential information.
3. Overriding of controls like the authenticity of transactions being kept at stake, as inbuilt safeguards can be played with. The hazard is present in the case that two offenders have been using this loophole for their own benefit.
4. Inefficiency in providing reports on time which has resulted in short cuts and reports without integrity. It fails the organization to make decisions as the report itself is manipulated.
5. Records have anomalies like supplier names also appearing in the customers' name list. Again improper record-keeping would make the entire report faulty.

Measures

1. Restricted access to be given. Only authorized people have to access the information.
2. There should be changed in the passwords for every day and the login access can be able to track
3. Computerized input of data along with a timely check on the security and efficiency of the system to prevent any wrong use. It is a detective measure, as it needs to be found out if there is a problem in the system or by some other methods these controls are overridden.
4. A proper accountant has to be employed for the accuracy of reports. and need to purchase the customized accounting software which can bring the internal controls in making the accurate reports
5. Strict penalty on any employee who goes beyond his authority to do a task. Accounting software should not accept the duplication of names in the supplier's list and customer list and we should introduce the codes for each and every supplier and customer.

Results

1. There is no leaking of confidential information where if we give only authorized people to access
2. It may result in no loss of data and no misuse of information which brings high internal controls and it is not easy to login by the unauthorized people
3. If we computerize the data, there is less chances of errors in the data which will leads to accuracy