INTERNAL AUDIT & FRAUD CONTROL IN HOTELS
Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
The diversity of the complex issues in the hotel industry – right from rate contracting to engineering to marketing to service delivery which would take time to grasp for newcomer; The complexity of the information systems. Different systems are used for various processes/department: Opera for PMS, Micros/symphony for F&B. MC/ADACO for Stores/purchasing, SUN/SAP for nancials, etc. In the absence of one ERP, auditing various systems can be complex. Uncertainties of risk profiling – Due to the unpredictability of the industry performance, it is difcult to plan what risks to audit around because completely new risks may emerge while at it that may affect work; Inadequacy of sufficiently qualified auditors – getting key staff who would work without supervision while grasping the complex issues is a challenge. It is just not enough to have a degree or ACA, ACCA, CPA, CIA, etc.; Changes in processes within the various services offered to guests may mean change in processes complicating auditing around these. They may not be communicated on time to all, including auditors; Absence of Board Risk & Audit Committees in the case of non – regulated companies.
"So how are we doing in the restaurant this week?" or "It seemed to be pretty empty this weekend, how did that new promotion work out?" are only two of many questions that hotel operations management teams may be asking, but need to know on a regular basis. The answers to these questions, and other similar ones, should be readily available from the accounting and nance group. The results being reported need to be accurate so that the operations management team can make informed decisions about the business. The key questions that internal auditors need to ask themselves are: "Does the nancial information make sense?" and "Are we protected from fraud?" Strong nancial controls help internal auditing and the operations team have condence in the numbers being reported to management and help protect the organization's assets. As in any area of operations, whether it be rooms, food and beverage, or other revenues, the nancial controls need to be documented, assessed, revised, and strengthened where necessary and tested regularly. Due to the current troubled economic environment, the likelihood that fraud will occur has increased signicantly. The pressures on employees and customers have increased through lower or lost wages, spouses being out of work, and lack of medical insurance. These tough times also have allowed potential fraudsters to easily rationalize the fraud that they are contemplating. Many fraud perpetrators say they are "just borrowing the money to pay my kid's school fees" or "using the money to help out until their spouse gets a job." Other common rationalizations include: "They will never miss 5000 Naira a day with all the money they make," "They don't pay me enough anyway." Operations has little control over most of those pressures and rationalizations but it does have control over the opportunity. By evaluating and strengthening the nancial internal controls of the operation, internal auditors can greatly reduce the opportunity component.
Strengthening Financial Controls
When assessing the current state of an organization's nancial controls, begin by determining which nancial processes pose the most risk. One way internal auditors can assess nancial controls is by looking at all of the functions and processes in accounting and nance and asking if a process were "broken" and activities were not getting done correctly, how much trouble would that cause the organization? For example, if for some reason checks were not cut or the accounts payable system did not function and suppliers were not paid, goods and services would no longer be coming in and things would get dicey. In this example, the cash disbursements process would be an area where internal auditors would want strong nancial controls in place. Additionally, within the cash disbursements processes, employees could set up fake vendors, cut fraudulent checks, or make deals with suppliers to defraud the hotel. Another example of an area where strong controls are absolutely essential would be within the payroll function. Payroll is such a huge expense for all operations that the slightest weakness or gap in the controls could have disastrous results. Employees could be paid incorrectly and once again, unscrupulous employees could exploit gaps and weaknesses in the controls to perpetrate frauds such as having ctitious employees on the payroll, not recording vacation, or overpaying themselves, relatives, and friends. In addition to the potential for fraud in the operation, without strong nancial controls it would be easy for innocent mistakes to allow a major reporting error to go undetected and cause management to make an incorrect decision, which could potentially cost large amounts of money. Strong nancial controls not only help prevent and detect fraud, but they also help detect true mistakes in the accounting and management reporting.
Other risk areas within an operation include controls around cash, nancial reporting, general ledger account reconciliation, and inventory (particularly in the food and beverage area), as well as controls around the hotel front desk. Many times when these areas are audited, numerous discrepancies surface and the rst questions clients will ask are: "How long has this been going on?" The above-mentioned items are not meant to be complete by any means; rather, they should get auditors thinking outside the box in their risk assessment and audit planning and provide a starting point for their audit.
Remedying Gaps and Weaknesses
Once auditors have performed their risk assessment and have identied the areas that they feel are at risk within their organization, they need to assess the controls currently in place. Review the policies and procedures for each of those areas, interviewing staff at all levels within the particular areas and observing them performing the various functions. After documenting the current state, auditors should determine whether the controls are adequate to mitigate or protect the organization from the risks, or if there are weaknesses or gaps that need to be addressed and corrected. To best accomplish this, the operation should prepare remediation plans with a time line and identify responsible people. The internal audit team should review the plan, and once the remediation plans have been developed and are in progress, it is important to monitor progress regularly. Having the operations staff responsible for the remediation send periodic updates to the internal audit team would be an excellent way to monitor each of the various remediation plans. Once the remediation plans have been completed and the revised controls have been in operation for a few months, internal auditing should test compliance with, and the effectiveness of, the new controls. When the reviews have been completed with satisfactory results, internal auditing should add the accounting and nance departments to its audit plan and schedule, so that the nancial controls are being monitored regularly going forward.
A good hotel manager naturally wants to spend most of his or her time meeting and greeting guests than authorizing guest refund requests; monitoring check – in procedure or verifying employee time card accuracy. Results: Dishonest employees, guests and suppliers often have numerous opportunities to exploit missing or awed anti – fraud controls. Losses to fraud are the inevitable result. Among the major reasons that hospitality companies are exposed to high levels of fraud is that the industry's culture frequently emphasizes customer service over internal controls that go into running a hotel, resort or restaurant. No problem with that, right? Better customer service equals more repeat business, means bigger prots. But it comes with a hefty price. When line employees, supervisors, managers and senior executives are focused so narrowly on getting customers to come back, nancial controls inevitably get short-changed.
Hospitality Fraud: Lessons Learned
Properly designed internal controls can never be tight enough in a hospitality property. Dishonest hotel, restaurant and bar employees and guests seem to always nd new ways to steal. The company's audit and accounting departments, in cooperation with management, must continuously review existing controls… improve on them and carefully screen for new tricks that employees and outsiders are inventing to steal their money.