Académique Documents
Professionnel Documents
Culture Documents
ACTG 150
Professor Ushman
The fraud investigation began after an assignment from Professor Ushman. Achilles was
an immediate target for us as we knew they were a small business with great customer service
and owners who were very personable. We approached D, one of two co-owners, about
working with Achilles, to which he immediately accepted. After initial research on fraud within
the restaurant industry, we sat down with D on May 16th, 2019, and discussed the internal
group and discussed what they do well, as well as suggestions for areas of improvement. It was
obvious to us that D and Elias, the other co-owner, have a very good understanding of sound
management, revenue collections, and payroll are more than sufficient. With either D or Elias
almost always at the restaurant, it makes these controls much easier to manage, yet they still
make a concerted effort to maintain them. For the time being, almost everything they need is in
place.
their strong controls, so we have provided several suggestions on how to do so: consider
Goodhire as an option for background checks, encourage direct deposit for employees as well
as create a positive payment match system with the bank so checks are not cleared to a fake
employee, create a code of conduct for new employees to sign, and reduce the responsibility of
1
Investigation Process
Our group selected Achilles restaurant as the organization to complete our fraud
investigation. Achilles is a quick service restaurant located in Santa Clara that serves
Mediterranean fare, with a menu offering customers delicious options such as gyros,
shawarma, and falafel. Achilles’ philosophy is to offer customers “the freshest and highest
quality ingredients, generous portions, and great tasting Mediterranean meals at affordable
great value.”1 Similar to national chain restaurants such as Chipotle and Panda Express, Achilles
offers quick-service dining. Unlike at a sit-down restaurant, servers do not collect a customer’s
payment from their table at the end of the meal and charge their bill at a computer in the back
of the restaurant. Instead, customers order, receive, and pay for their food at the counter.
In addition to being a popular spot to eat amongst our group members, Achilles was also
recognized as the ninth-best restaurant on Yelp’s “Top 100 Places to Eat in the US for 2019,”
bringing the small and relatively new business an influx of customers and positive online
reviews.2 An increase in business due to the positive press has been greatly beneficial for the
owners of Achilles, who are considering expanding their restaurant. However, as discussed later
in the “Potential Problems” and “Suggestions” sections, this may also present new
opportunities for fraud to occur as the business grows. Furthermore, according to the National
Restaurant Association, independent restaurants lose up to 5% of sales per year due to fraud
and theft, “most of which is committed by employees.”3 Because of this, we knew the potential
1
Achilles Restaurant
2
Brenae Leary, Yelp
3
restaurantowner.com
2
Achilles is run by a pair of co-owners: Diaa Altali, who goes by “D” and whom our group
interviewed on-site, and his partner Elias Stanon. Known by frequent and first-time customers
alike for his friendly demeanor, D spends much of his time at the restaurant and is the owner
primarily responsible for the day-to-day operations of the business. Before our group’s
scheduled interview with D on May 16th, we began the investigation process by conducting
research on the nature of small businesses and non-chain restaurants so we could better
understand Achilles’ operating environment and potential threats facing the business with
respect to fraud. We used our research to draft informed interview questions. Our research is
Research
We began our research by investigating some of the basic internal controls that are
strongly recommended for restaurants by the public accounting firm BDO. According to BDO,
there are six categories of internal controls that are essential for restaurants to place in
operation to “help prevent and identify high-risk behaviors.”4 The first of these categories is
cash, which BDO advises: “restaurants should reconcile their daily deposit reports and compare
these reports to both what is deposited in the bank and reports from the point of sale. They
should also perform monthly bank reconciliations timely and without fail, and the person
preparing bank reconciliations should not be the individual making deposits in the bank.”5 As a
small business that commonly receives cash as a form of payment, we determined these
4
Giselle El Biri, BDO
5
El Biri
3
concerns to be extremely relevant to our investigation of Achilles, and prepared a list of
The second category of internal controls that BDO advises be put in place is payroll.
Many payroll fraud schemes involve the creation of fictitious employees. Because Achilles only
has 8 employees, not including the owners, the creation of new fictitious employees by
someone within the organization is unlikely. However, we determined it is still important for
Achilles’ owners to monitor payroll records to ensure that all employees are clocking in and out
The third category of internal controls for a restaurant is software rights. BDO
rights to ensure that their rights continue to fit their job responsibilities.”6 We determined it
was important to discover the various types of software used by Achilles, and each employee’s
access to that software. The fourth category of relevant internal controls concerns accounts
payable. From our research we learned that “employees in the accounts payable function can
set up new vendors, enter invoices and produce checks—and by extension, create fictitious
employees wherever possible to reduce this risk.”7 Because Achilles is a small, independent
restaurant, we did not deem it likely that employees would be able to set up fictitious vendor
accounts without the owners’ knowledge. Nonetheless, we wanted to address this concern
with D in our interview, to ensure proper oversight into Achilles’ accounts payable.
6
El Biri
7
El Biri
4
BDO’s fifth internal control category for restaurants is financial statements review. This
review includes reconciling all accounts to the general ledger, “documenting and signing off on
all manual journal entry reviews,” and implementing a balance sheet log that “assigns
responsibility for updates to one employee and reviewing entries to another.”8 From this, we
separating duties between employees who update and review entries. The sixth and final
category is store monitoring. BDO advises the store manager to review store invoices for
reasonableness, examine daily sales reports, ensure completeness and accuracy of inventory,
and observe store performance.9 Because these internal controls are essential to effective
designed for restaurants to evaluate the existence and effectiveness of their internal controls.10
We used the “items” on the checklist to formulate questions to ask D. After our interview, we
completed the checklist by checking “yes” or “no” for each of the items and making any
applicable comments. The completed checklist is included as Appendix 1. With our research
complete, we had formulated effective questions and were prepared to interview D about the
8
El Biri
9
El Biri
10
restaurantowner.com
5
Interview
Our interview with D took place at Achilles on May 16th at 9pm, just after the
restaurant closed for the evening. With our list of prepared questions, we interviewed D
regarding his business. D explained that either he or his partner Elias usually comes in early
around 8:00 am and opens the restaurant at 11:00 am Tuesday through Sunday. One of them
comes in at 8:00 am because they need someone to sign off on the meats and vegetables that
are delivered. They cross check their order with what has physically been delivered. If anything
is missing or damaged, their vendor, a startup called Cheetah, will give them credit for their
next order. At noon, the co-owner who has the morning off comes in and runs the restaurant
until it closes at 9:00 pm. On rare occasion, the restaurant’s supervisor will close the store
instead. Whoever is in charge at this time has the responsibility of reconciling cash in the
D and Elias employ 8 people at Achilles: a supervisor, team lead, and at least one line
server are present during business hours. Currently, Achilles cannot afford to hire a manager or
assistant manager. While D is close with his employees and has not had problems with them
stealing in the past, he did not conduct any background checks upon hiring, and employees
found the job listing from D’s post on Craigslist. Employees are paid hourly wages plus cash tips,
and D informed us that his employees have sick days but are not awarded vacation time.
Finally, D admitted to us that he has no formal code of conduct that he makes employees sign
Achilles currently uses Homebase Software to clock in and out every day. All employees
must clock in to the system before working. If an employee tries to clock in before he or she is
6
scheduled to work, the system prevents them from doing so and alerts D via text. Only D and
Elias have access to Homebase and Square, their point of service (POS) software. If a customer
were to walk in the restaurant, he would notice that there is a co-owner always behind the
counter managing the cash register and POS. After the customer has gone through the cafeteria
setup, much like Chipotle is designed, he will pay either with cash or credit card. D and Elias are
the only ones to manage these transactions. Only in special situations will the team supervisor
step up as cashier. D made it very clear that he, Elias, and the supervisor are the only team
members who know the login information to access the cash register.
enjoy coming to work, and Achilles has done a great job of that. D says that his employees “feel
like family,” which instills the belief in everybody to do what is best for the business. However,
according to the ACFE, one of two reasons small businesses have a higher risk of fraud is
“misplaced or assumed trust.”11 With this in mind, it is a very good control for Achilles to have
five security cameras behind the counter, watching the cash register as well as employee
activity. Employees are much less likely to steal from the company when they know they are
automatically deters criminal activity amongst employees because of the threat of being
caught. When cameras are present, one begins to think about the consequences of his or her
actions more.”12 The cameras act as a deterrent to any theft an employee may have thought
11
Signature Analytics
12
Supreme Security Systems
7
about commiting, and with D or Elias almost always at the restaurant, it provides them with a
A second thing Achilles does well is the controls when it comes to cash. In order to open
the cash register, after registering a sale the employee must push a button which is tracked via
an online system. This system tracks every time the cash register drawer is open, and also
prevents the drawer from being opened unless there is a key or a registered sale. At the end of
almost every day, D or Elias reconciles the number of times the register is opened with the
number of sales as well as the total cash amount. This is a very good control since any sort of
cash theft will be noticed during the reconciliation process; and since D and Elias are the
owners, they are the people that should be doing this job, which is the case. They are the only
two people who have access to the cash drawer, and at the end of every night they make sure
no cash is left. Because “one of the most common causes of shrinkage or loss in your store is
through the mishandling of cash,”13 this is an extremely important control to maintain. The
control of emptying the register at the end of the night has already saved them money: a
couple months ago, somebody broke the front window in the middle of the night only to find
out the register was empty. This could have been a big loss, but because of the controls
surrounding cash, they were able to minimize their losses to the cost of a broken window.
To go along with their good cash controls, Achilles uses a very reliable and trusted POS
system in Square, “an easy-to-use credit card processing system and the most feature-rich free
Point of Sale (POS) system on the market today.”14 By using Square, Achilles can accurately
predict their expenses when it comes to credit card transactions because they use a flat rate
13
Hudson, Matthew
14
Sallows, Mark
8
per transaction. Without monthly subscription fees, it is the best low cost system on the market
Another area that is vulnerable in many companies is the use of a corporate credit card.
Employees can abuse their privilege and begin to charge personal expenses to the card.
However, the only two people at Achilles who possess the corporate cards are D and Elias, the
only two people who should have the card for the time being. Similarly, they are the only ones
with the ability to make purchases. Achilles uses a vendor called Cheetah for all their food
purchases.
place an order by midnight, and get it delivered the next day.15 Using this vendor has proved
very successful for Achilles, as it not only saves them money and time, but reduces risk when
they order inventory as D and Elias are the only two people who can purchase through the app.
They are also the only two people who receive inventory, and after receipt they look through to
ensure everything ordered is there. In the rare instances an order has not been correct,
Cheetah has proved very easy to work with and credited their account. By having one reliable
vendor, Achilles has eliminated a large risk that can come with purchasing inventory; but should
something happen and they can no longer order from Cheetah, they know several other
vendors than can supply their needs, virtually negating any risk that comes from using one
vendor.
Achilles also handles their payroll in a very effective manner. They use Homebase, an
employee scheduling software that greatly reduces the risk of any sort of payroll fraud. The
15
Cheetah
9
employees, besides logging in and out, have zero access to the system, which sends the hours
to the outside accountant, who prepares and sends the checks. By having a system where the
employees have no access, it reduces all risk of employees changing the books.
Besides the restaurant, Achilles also provides catering services. To ensure they collect
payment from their catering business, the client must pay 24 hours in advance. This mitigates
For a new small business, Achilles has very strong internal controls. If you refer to
Appendix 1, you can see they meet the majority of controls recommended for restaurants. It is
obvious D and Elias care deeply about their restaurant as well as their employees, and they
have found a way to create an atmosphere of trust and family while maintaining sound
business practices.
Potential Problems
Elias and D’s effort and care have allowed Achilles to become an incredibly successful
restaurant. Although we were very impressed by Achilles’ current procedures, we still found
some areas for improvement. As a group, we discussed several problems that may exist based
on our research and class teachings. We categorized these problems into five main topics:
One of the first questions we asked during the interview had to do with Achilles’ hiring
process. As we mentioned earlier, Achilles only has eight employees, so making sure these
employees are well-qualified and have a strong work ethic remains vital for the continuing
success of the restaurant. D revealed that he finds most of his employees through Craigslist or
10
putting fliers up on his restaurant windows. In many cases, this leads to few or no candidates,
which shows that this might not be the most effective way to find potential applicants.
The other problem we noticed with the hiring process related to background checks.
According to the ACFE’s 2018 Report to the Nations, one out of every ten fraudsters could have
been revealed solely by performing background checks.16 Based on what we learned from
various case studies of fraud, fraudsters often have a history of fraud or other negative work
experiences that indicate they are a bad choice for the position. D stated that he does not
perform background checks on potential employees due to cost. D is not alone. Only around
52% of companies perform background checks, but those background checks could potentially
prevent companies from experiencing fraud and dealing with the approximate median fraud
loss of $350,000.17
Nevertheless, Achilles’ current employees still play a huge role in the company and
seem to be trusted by both Elias and D. However, for preventive measures, we believe that
addressing some of the missing areas within the company may be helpful. Financial/accounting
item number three in Appendix 1 shows the importance of the owners handing out the
paychecks to employees. D stated that he sometimes sends employees checks by mail and has
not set up direct deposits for any of his employees. Sending the employees checks by mail
makes it easier for the information contained on the checks to be seen, such as signatures,
addresses, and the bank account number, and creates the possibility of the checks getting
16
Gaul, Michael
17
Gaul, Michael
11
We also learned that Achilles does not have a code of conduct for their employees. A
code of conduct helps an employee understand the values and mission of the organization and
acts as “a central guide and reference for employees.”18 A company’s code of conduct allows
employees to know what is expected of them and mitigates risk for the company since it shows
the company did their best to reduce financial risks and ethical misconduct.19
Another potential problem for Achilles has to do with the segregation of duties for the
bookkeeper. The bookkeeper’s job consists of signing checks, distributing payments, and
reconciling the bank statements. The bookkeeper currently has the power and ability to
authorize and handle checks, with minimal supervision. These tasks that the bookkeeper must
perform do not allow for the proper segregation of duties. There are three activities that must
be done by separate people in order to allow for proper segregation of duties: authorization of
transaction, recordkeeping, and custody of assets. When executed correctly, these activities are
done by different people in order to prevent anyone from having too much control in an
operation. In addition, the bookkeeper is in charge of the bank reconciliation, which normally
acts as a control. Bank reconciliations allow for a comparison of the bank’s records to the
company’s financial records in order to detect theft or accounting errors. Giving the
bookkeeper, who already is in charge of the authorization and custody of checks, the ability to
also check their work and compare the records to the bank statements prevents the internal
control of bank reconciliations from being effective. We realize that Achilles is a small company,
but the bookkeeper is taking on three activities, custody, authorization, and bank
18
Ethics & Compliance Initiative
19
Ethics & Compliance Initiative
12
Along with the bookkeeper, the co-owners themselves, Elias and D, also seem to have a
lot of responsibilities when it comes to running Achilles. Among other things, Elias and D are in
charge of controlling the cash register, reconciling the cash, monitoring the surveillance videos,
and are two of the three people that can open and close the store. The checklist from Appendix
1 shows that many of the non-existent internal controls such as surprise cash counts and
mystery shoppers are due to the fact that Elias and D are responsible for the cash and the cash
register. Although this is usually a good thing that Elias and D are taking responsibility for the
company’s revenue and handling cash themselves, it can also pose problems. Since both Elias
and D have such a high position in the company and the entire workforce has a strong
relationship and sense of trust, Elias and D’s work regarding cash and the cash reconciliation
are less likely to be checked for accounting errors. We believe a potential problem with Elias
and D’s control over cash could be the existence of material misstatements due to accounting
error and nobody, including Elias and D, checking the other co-owners’ work.
Furthermore, due to the important responsibilities of both Elias and D, the following
was a question that needed to be asked: What happens if both of the co-owners are sick or are
unable to go to work? In response to this question D said, “When you open your business you
don’t think about this.” Since D and Elias are in charge of vital everyday procedures like
operating the cash register and controlling the financial aspects of the closing of the store, it
has become absolutely necessary for one of them to be at the restaurant for most of the time
that Achilles remains open. The worry is that, should something happen that prevents both
Elias and D from going to work, do they have a plan? And who will access and work at the cash
13
This idea of Elias and D having too much responsibilities becomes especially important
should they choose to expand Achilles. The expansion of the company would only heighten
some of the problems already mentioned. Having no managers is not an area of concern for
Achilles due to the size of the company and the small number of workers. This might change
since Elias and D would most likely need help with managing all of the employees and the larger
scale of operations. Elias and D would have an even more difficult time handling all of their
responsibilities since expanding the company alone would take up a lot of their time and effort.
They would have to consider how to maintain the bigger company and new internal controls to
implement. All of this being said, expanding Achilles might be a good idea due to the current
success of the company, but the uncertainty of what must be done for the expansion causes a
Suggestions
As mentioned in the previous section, background checks are a great deterrent for
preventing potential fraud from the time an employee is hired. Achilles does not do this for
their employees. D brought up the same reason most small businesses avoid background
checks altogether: they are too costly. While some may argue that background checks can be
done for free, on the company’s own accord, they may not “comply with regulations”20 and can
get a business into trouble. Inc., a small business magazine, does an annual review of
companies that provide the best background check services at the most affordable cost. In
20
Kolditz, Kaylee
14
2018, Goodhire got the magazine’s seal of approval as the best background service for a small
GoodHire gets our vote for Best Background Check Service for Small Business 2018. Accredited by BBB with an A+
rating, FCRA compliant and NAPBS accredited, GoodHire offers three packages as well as add-on report options; all
of which fall within the price ranges of competitors. Their website is easy to navigate and understand. This is
particularly helpful to those who are new to background screenings.
GoodHire’s simplest package, which confirms an employee’s SSN and searches for his or her
name on a criminal and sex offender database, is $29/check. While this may seem like a lot, it is
relatively inexpensive when compared to other companies offering similar services. Even if the
background check is not used for employees who will work in the kitchen or on the service line,
it will become a necessity when the company expands. D and Elias eventually need to hire a
manager once another one of their restaurants opens up. When the time comes, they will have
to hire someone who can pass more than just an eye test, considering the responsibilities and
While check fraud seems like a thing of the past, it still poses as a potential issue in any
environment where they are still used. There are a few ways to mitigate this threat. Firstly,
Achilles can set up direct deposit as a method of employee compensation. By doing this, money
from Achilles goes straight into an employee account. If used, Achilles will also want to
encourage their current employees to switch over from their check payment method.21 An easy
way to incentivize this is by reminding workers that doing so puts money in their account a few
days earlier than check. At the end of the day, there is only one reason needed to justify direct
deposit as a payment method: checks can be manipulated and forged much more easily than an
electronic cash transfer. In the meantime, while the restaurant still distributes physical checks,
21
“7 Steps”
15
it is important that Achilles sets up a positive payment match system with their bank.
Essentially, this tool provides their bank with a list of people who are authorized to receive
payment from Achilles. If a check is given to the company and the recipient’s name and account
information do not match, then D, Elias, and the bookkeeper are all notified and the check is
bounced. Finally, all checks should be distributed in person rather than through the mail. The
main point of this is to cut out the middleman -- to ensure D and Elias that no one else has
access to the check but their employee. On top of that, D mentioned how the bookkeeper is the
one who writes the checks. Instead of dropping them off, she mails them to Achilles. Again, a
simple way to mitigate the risk of a fraudster manipulating a check through the mail is by
implemented at all stages of the company. While every Fortune 500 company is conscious of
duty segregation and its implication, it is often an afterthought among small businesses. This is
the biggest area that Achilles can improve upon, specifically with the amount of trust and
power they place in their bookkeeper. Charles Hall, a CPA and certified fraud examiner for over
30 years writes, “If your bookkeeper prints your checks, then she can write checks to herself,
can she not?” Even a business owner, who “may be thinking, ‘but I’m the only authorized check
signer,’” cannot stop their bookkeeper from forging a signature22. This becomes a problem too
if “she alone reconciles the bank statement” because “she may be the only person that sees
cleared checks.” Thankfully there is a simple, preventative measure that Achilles can implement
this month if it wanted to. Instead of having the monthly bank statement sent directly to the
22
Hall, Charles
16
bookkeeper, D should request that it be sent to the restaurant or his home. It may seem
tedious, but, by doing this only once a month, D can confirm that there are no hidden checks
being sent off to an unknown account. After he has confirmed the statement, he can then bring
it to the bookkeeper.
Finally, D and Elias should consider having their employees sign a code of conduct. A
strong code of conduct shows what a company and its owners believe in. Having employees
sign it conveys not only that the company leaders believe in it, but they are also serious about
it. A small business whose owners and managers place heavy emphasis on their code of
conduct will most likely get their employees to follow suit. Not only that, but having certain
fireable actions in writing could prevent a potential lawsuit down the line from a former,
disgruntled employee.
17
Appendix
1- Restaurant Internal Controls Checklist
18
Works Cited
19
20