Time and time again the news includes another report of a law firm (most often small to medium in size) having been ripped off. The dollar amount involved in a majority of the reported thefts is a few hundred thousand, but  in some cases millions of dollars have been misappropriated. In what I consider the most unfortunate of cases, the missing funds weren’t the firm’s but funds belonging to firm clients.

How does this happen?

Recently I was reading of yet another case involving the misappropriation of cash by a trusted employee who, in retrospect, shouldn’t have been.  It dawned on me that a refresher course (or perhaps an introduction for some) on basic internal control “blocking and tackling” might be in timely.

As firms grow it is common to put off, or in far too many cases not even consider the appropriate checks and balances necessary as cash related responsibilities are delegated. Basic business measures are intended to decrease exposure to theft and fraud and, at the same time, minimize the possibility of errors.

Absent these business safeguards, it is easy to wake and find your firm the victim of someone all-too-willing to take advantage of your trust and a system that is far too easy to hack. A relatively simple system of internal controls can provide significant protection, and decrease the risk that your firm will fall prey to someone that doesn’t deserve your trust.

A thorough discussion of appropriate internal controls is beyond the intended scope of this post; but consider the following primer.

The Basics of Protection

Segregation of duties

As a small law firm grows — both in terms of number of individuals employed and revenue generated — there is an ever-increasing demand on the time of the owner(s). The resulting tendency is to delegate activities related to receiving and accounting for funds, as well the approval, payment and accounting for payments related to obligations of the law firm.

As the volume of work delegated grows, separate individuals should have responsibility for authorizing, making and accounting for payments.

Additionally, different persons should have responsibility for opening mail, depositing payments and accounting for their receipt.

Limitations on authority

One approach to decreasing exposure is to apply limitations to authority. For example, many firms require two signatures for payments that exceed a certain threshold such as $1,000. This is not about trapping a dishonest employee; it is about installing smart checks and balances around judgements and decisions that can be pivotal in nature.

Transaction review

 A firm owner should receive, unopened, the firm’s bank statements, and review them on a monthly basis. The simple fact that the statements are being reviewed will prompt a more deliberate and considered decision-making process.

For firms with two or more owners, it is smart to separate responsibilities, having one owner authorize payments (coupled with a requirement for two signatures), and another review the bank statement.

Budget/financial planning 

An annual budget reflecting anticipated expenditures and receipts is a tool that helps to minimize exposure. A monthly review of actual to expected performance will identify unplanned and perhaps inappropriate transactions.

Mandate vacations/job rotation 

A practice of forcing a continuity break by mandating vacations away from the office (and away from access to the firm’s financial systems) has a significant impact on decreasing temptation and exposing inappropriate activity. A system of rotating responsibilities associated with cash related functions has a similar impact.

External audit

Contracting with an independent accounting firm for an audit of the firm’s books is a very healthy practice. Much like other aspects of an effective internal control system, employee knowledge of the fact that periodic audits occur will decrease the likelihood of a problem.

Implementation of any of the above will result in a more secure operation; but a professional review of your firm’s financial processes and controls is most appropriate and is recommended.

How are your internal controls