What good are policies and procedures if no one follows them? What good does it do to develop good policies and procedures if no one enforces them? Why have polices and procedures in the first place if no one monitors compliance or checks to see if they're working, as intended?
In news article published today, a State Auditor's Office performing a routine audit identified two employees whose overtime totals stood out from all other employees. As part of the audit, the auditors compared overtime hours claimed with information compiled from their building access cards. There were substantial differences so the auditors referred the matter to State investigators. The investigation found that two employees "gobbled up" $130 thousand over a three year period in "bogus overtime" payments.
Needless to say, these two employees are in trouble. One was fired and the other resigned but they may be facing other legal consequences. Their supervisor was demoted for lax oversight and the article is blaming the matter on failure to follow policy.
Our take on this matter is different. We believe that a failure of the internal controls allowed these individuals to skirt established policies. The policies and procedures may have been good but if compliance is not tested from time to time, those policies and procedures will be rendered ineffective. When a scheme goes undetected for three years, there would have had to have been a significant lack of internal controls including oversight, employee training, monitoring, and feedback.
One of the most fundamental methods of internal control is the segregation of duties. When it comes to overtime, one individual should not be capable of initiating, authorizing, executing, and subsequently reviewing overtime requests for appropriateness. An individual should not request overtime. Overtime should be requested by a supervisor based on need. The supervisor should obtain approval from someone higher up the chain. Someone from finance should authorize funds. The employee and the supervisor should sign the timecard/timesheet certifying that the hours were worked and charged to the appropriate job. Payroll should verify that overtime hours were approved and reviewed by appropriate supervisors and management. Internal audit or special teams should periodically review these practices for compliance.
Internal controls are not that difficult to implement.