Internal Controls

The scene: a managing agent of a large residential cooperative and a plumbing contractor representative having their morning coffee and croissant at a casual cafe. The air is brisk, and the talk is cool.

"You know, we just can't have anybody working in my building. I've got standards," declares the dapper managing agent. "My building's got class."

"Exactly how much class are we talking about?" inquires the plumber. He has industry experience. "I mean I don't mind sharing; I just want to be fair."

So far, so good. The parties have the openness essential for negotiation and compromise.

"Well, I'm no accountant, but I was doing some figuring," advises the agent. "I figure between the repairs to the plumbing fixtures and improvements in the drainage system we've got to be near half-a-million, give or take."

The key to success in this industry, thinks the plumber, is not so much the taking as the giving. "I don't know, what's the going rate," he asks, as if he hasn't a clue. Fact is, he had a conversation just like this last week with a different managing agent for a different co-op.

"Ten percent for overhead, only I get to determine the allocation," demands the agent. "That's what I like about this job - one hand washes the other!" He laughs, sliding the check along the table to the plumber.

"I wish that just once one of these sons-of-bitches would at least pick up the tab," mutters the plumber through a tight smile.

"Sounds good. I'll process it in the usual way. I guess it really doesn't matter so much whether I charge a half-a-million or a half-plus 50K. The shareholders won't know."

"When do I start?"

The agent stares. With a sly, derisive grin, he extends his hand to the plumber. "Got your checkbook?"

There is a big pot of money out there. Members of the board of directors/trustees of cooperatives and condominiums know this; building management companies know this, as well as their managing agents, and so do contractors. This pot of money needs protection lest the free market take it too freely.

WATCHER AT THE GATES

Oversight of cooperatives and condominiums rests primarily with their boards. Often, this oversight function is significantly delegated to professional management companies that employ agents to supervise the procurement of goods and services necessary for the operation, maintenance, and improvement of the residential buildings, especially the common areas. These three groups - board, management company-agent, and contractor-vendor-consultant - have a duty to act in good faith in transactions with the residential organization. They should deal fairly on behalf of and with it.

Sometimes, however, the principle of good faith gets short shrift from the principals and agents expected to uphold its letter and spirit. Board members, management company employees, and the assorted independent contractors used by the overseeing board members and managing agents may be guided by self-interest, and residential organizations are especially vulnerable because the individual shareholders of the cooperative or unit-owners of the condominium association are often too busy to check the exercise of discretion by the persons selected to manage, operate, and improve the residential organization.

The opportunities for board members, managing agents, and independent contractors are practically unlimited. Schemes involving the payment of graft to obtain work ("pay to play"), embezzlement ("self-gifting"), undisclosed use of related parties ("self-dealing"), and similar fraudulent practices occur because they can (opportunity), and disinterested and diligent oversight is not adequate. Rarely would persons commit fraud where they feel a significant risk of getting caught.

Firms that understand risk consulting may offer residential organizations the opportunity to cost-effectively reduce the risk of loss from intentional misconduct and (unintentional) incompetence or negligence. Everybody, especially the bamboozlers, makes risk-benefit calculations. The key is to understand the kinds of culture in which the risks from these types of losses are unduly great and to apply management controls that practically reduce these risks and effectively transform the character of the culture.

The best of these companies approach risk management in a holistic manner. Services including employee and vendor screening, forensic accounting, operational turnaround, security architecture, and data recovery are tools used to discover, deter, and deflate risks of loss inherent in clients' culture.

Residential organizations need management controls. Generally, residential organizations have management controls, however the effectiveness and efficiency of these controls should be periodically tested and monitored by an independent party to obtain assurance that the contributions of shareholders and unit-owners are properly received and disbursed consistent with the best interests of the organization, which may materially differ from the obeyed interests of any one board member, managing agent, or independent contractor.

CHAOS VS CONTROL

The following outline briefly describes some internal (management) controls mechanisms frequently recommended by risk consulting firms, though the specific approach and risk mitigation techniques should be customized. All residential organizations are not alike. Similarly, their boards, agents, and independent contractors are not identical. Human nature, though variable, conforms to the culture resulting from the actions and omissions of the particular residential organization.

Essentially, there are three forms of management control mechanisms to consider:

(1) Controls may be implemented to address material issues involving personnel and vendors, including personal reputation and character and procurement policies, before (and during) the establishment of a business relationship; that is, before-the-fact controls. These controls tend to be preventive. Proper establishment and application of these controls would reduce the risk of conducting business with unethical persons.

(2) Controls may be implemented to address material issues, including requiring a sufficient audit trail and proper segregation of duties, during the life of a business relationship; that is, contemporaneous monitoring and accounting controls. These controls tend to be preventive and detective. Proper establishment and application of these controls would reduce the risk of failure to discover intentional wrongdoing or incompetence (including negligence).

(3) Controls may be implemented to address material issues, including rigorous but fair enforcement of standards of conduct required of business partners, after detection of intentional wrongdoing or unintentional bad acts; that is, after-the-fact administrative controls. These tend to be preventive. Proper establishment and application of these controls would reduce the risk of loss, including injury of reputation, resulting from discovery of wrongdoing committed against the residential organization and deter board members, managing agents, and independent contractors from engaging in improper conduct.

BEFORE THE FACT

Prequalification Requirements. Boards of directors should develop prequalification procedures and requirements to allow the board to know its own members, management company, managing agents, contractors, subcontractors, vendors, consultants, building superintendents, etc. (collectively, business partners). A fundamental principle of ancient Greek philosophy was "Know Thyself." Today, there is no substitute for knowing, as practicably and cost-effectively as possible, the character and reputation of all of the persons on whom the success of the board's mission depends.

Background screening of business partners is an essential preventive safeguard. "An ounce of prevention is worth a pound of cure," they say, and many organizations have suffered incalculable harm to their reputation for failure to exercise sufficient foresight before engaging in economic relationships. Moreover, businesses are accustomed to demands from prospective customers for proofs related to their fitness or competency for a particular project.

Residential organizations are especially vulnerable to their respective oversight boards and management companies, including board members and managing agents, because the individual unit-owner is usually too busy to dedicate adequate attention to the activities of these parties. Demanding that business be done only with prequalified persons is a necessary first-step.

Screening should be periodically performed, even after the establishment of a business relationship. Through regular, limited background inquiries, the residential organization would reduce the risk of failing to detect materially adverse, changed circumstances; for instance, a business partner may subsequently become a defendant in fraud litigation that would otherwise be outside the scope of the organization's purview.

Use of Questionnaire. Risk consulting firms may offer questionnaires from which to gather and analyze relevant information about prospective business partners. Completion of the questionnaire may be a condition precedent to conducting business for the residential organization/board/management company, and the cost of completing and reviewing the questionnaire may often be charged directly to the prospective partner.

Additionally, use of a uniform, streamlined questionnaire avoids issues such as application of different standards to different persons. All persons would be required to complete the questionnaire. Moreover, the questionnaire would be notarized and sworn to, providing the residential organization with useful documentary evidence of the preparer's truthfulness.

Many risk consulting firms develop questionnaires based on extensive private and public sector experience. These questionnaires are neither too limited nor too demanding in scope, enabling the firms to cost-effectively obtain a useful snapshot and summary of the applicant's conduct. A well-designed questionnaire promotes effectiveness and efficiency.

Among the most useful byproducts of receiving questionnaires is the discovery of related parties. Undisclosed conflicts of interest often result in excessive costs paid and inferior work product received by the residential organization.

Procurement Policies. Mechanisms such as the establishment of the monetary thresholds for general and specific authorization are necessary to reduce the risk of falling victim to unbridled, errant discretion on the part of purchasing agents. Clearly communicated guidance is essential to control the conduct of board members, managing agents, and others that authorize purchases.

For instance, managing agents may have general authorization to make purchases valued at less than $1,500. However, authorization for purchases valued between $1,500 and $5,000 could require specific authorization from a designated board member, and purchases valued at more than $5,000 could require specific authorization from at least two board members. These criteria could be adjusted, depending on the activity required to manage the residential organization.

Additionally, the use of competitive bidding through Requests for Proposal (RFP) or Requests for Quote (RFQ) should be considered, depending on the value of the expected contract. By demanding that board members, managing agents, and others document their solicitation of interest in proposed contracts, the residential organization reduces the risk that these contracts could be steered to favored business partners that offer less than competitive pricing.

Many organizations have successfully inserted "right to audit" provisions in contracts. These provisions give the organization the right to follow up on circumstances suggestive of fraud or other wrongful conduct by reviewing the counterparty's books and records related to the transaction. Often, the provision would require the counterparty to reimburse the organization if it discovers evidence of significant overbilling.

Purchase Order Procedures. Sufficient attention should be given to the design of the purchase order system. For instance, copies of purchase orders should be delivered to the vendor, requestor, finance/accounting unit, receiving unit, and purchasing supervisor to assure that all of the interested parties independently maintain essential documents of the audit trail.

Moreover, purchase orders should be numbered to reduce the risk of failing to account for these forms. Unauthorized use of purchase orders may not be detected if they are not numbered; for instance, schemes using the same purchase order number twice to authorize duplicative payments to the vendor that may split the proceeds with the unscrupulous requestor are not uncommon. Moreover, failure to number purchase orders may result in duplicate vendor payments through sheer negligence.

Code of Ethics. Developing a code of ethics that employees and business partners must accept as a condition of working with the organization provides documentation of the organization's dedication to integrity. The establishment of a culture that takes integrity and ethics seriously may begin with the code. Issues addressed would include whether or not the receiving/giving of gifts is allowable, and if so, to what extent.

The code is essential to providing a standard of conduct applicable to rank and file, managing agent, and board member alike. An organization's willingness to define and document what is acceptable and what will not be tolerated is useful to demonstrating leadership and adherence to more than the mere letter of the law but also the spirit of the law as evidenced by valuing prescribed ethical standards.

Contemporaneous Monitoring

Invoice Receipt and Coding. Procedures should be established to assure that all invoices are properly marked received and posted to the proper account. As a source document, the invoice is essential to supporting the audit trail. Failure to properly record and post invoices could increase the risk that wrongdoing, including fraud and unauthorized expenditures, would not be detected in a timely manner.

Voucher Preparation and Approval. A commonly discovered abusive practice is employee expense account fraud. By establishing required and standardized methods of submitting vouchers for payment, including employee expense account vouchers, that demand support (such as invoice number, purpose of transaction, and signature of receiving unit), the organization assures a useful audit trail.

The voucher package should be complete. All of the supporting documentation should be attached so the designated signatory (for instance, treasurer) can immediately identify whether the transaction has been properly authorized, and the proposed payment is for the appropriate amount.

The audit trail offers two benefits. Unauthorized or fraudulent transactions may be detected through the internal audit function and employees may be less likely to engage in such wrongful conduct if they are aware that there is a significant risk that management will review the transaction.

Check Preparation and Disbursement. Generally, cash is the asset most commonly subjected to wrongful conduct. By its very nature as the most liquid asset, cash is the asset most vulnerable to conversion by the thief. Therefore, organizations should carefully design and review their management control mechanisms affecting the preparation of checks and the authorization for disbursement of cash.

For instance, checks should not be issued to post office addresses unless specific approval of such address has been documented and retained in a permanent (vendor) file. Moreover, checks should not be signed unless all of the supporting documentation, including original invoice, is provided in the (voucher) package delivered to the authorized signatory prior to affixing of the signature or stamp.

Check Deposits and Cash Receipts. The receipt of checks and currency should be recorded properly and promptly deposited in the organization's bank account. Importantly, duties should be segregated to assure that the conduct of the person responsible for custody of the cash is independently checked by a different person who would be responsible for maintaining records of cash receipts.

Organizations should avoid giving too much control over one function to any single person. For instance, if the person responsible for custody of the cash were also responsible for performing monthly bank reconciliations, this person could conceal defalcations of cash altering bank reconciliation reports.

Check Signature Authority. Requiring at least two signatures on checks above a threshold amount provides assurance that errors and/or intentional misconduct would be quickly detected. Often, an objective of management controls is to force a conspiracy; that is, the organization should create an internal control system that requires internal collusion to defeat the control mechanisms.

Check-Signing Machine Usage and Custody of Blank Checks. Uncontrolled access to the check-signing machine coupled with access to blank checks create an intolerable risk of loss through the preparation of unauthorized checks. These checks may be issued to and cashed by employees through fictitious vendors.

Petty Cash Guidelines. Petty cash should be independently reconciled monthly. Expenditures should be supported by invoices and statements as to purpose of expenditure. Replenishments of the fund should be monitored for excessive use.

Internal Audit Function. Internal audit is the eyes and ears of the organization. Consistent with the "ounce of prevention worth a pound of cure" adage, the organization should not begrudge dedicating adequate resources to internal audit. These auditors often possess both the requisite independence to test the operation of management controls but also the specific understanding of the organization to perform efficient tests and follow-up on "red flags."

After-the-Fact

Variance Reports.The use of variance analyses is a method of detecting unauthorized or excessive consumption of the organization's resources. Ideally, the organization should perform monthly analyses of the preceding month's activity such that by the end of the month designated and competent management personnel would be informed of the material variances for the preceding month.

Enforcement of Code of Ethics. An organization must fairly and promptly enforce its code of ethics. Punishments for infractions should be identified in the code, and their application should be swift, sure, and uniform. Enforcement of the code indicates that it is not mere "lip-service" but a living constitution and expression of the organization's value on integrity, fair dealing, and good faith.

The management control mechanisms briefly described above are examples only. Perhaps, the most important and immediate act of the residential organization is to obtain professional, independent, and objective advice from a risk consulting firm. Outside reviews of management controls are necessary and not cost-prohibitive.