A CPA’s Perspective on Minimizing the Financial Risk of Cognitive Decline — Oblivious Investor

Broadly speaking, cognitive decline (whether dementia or mild cognitive impairment) presents three financial risks:

1. The increased risk that you’ll fall victim to fraud.
2. The increased risk that you’ll make poor decisions that will be costly. (Not the result of fraud, just something along the lines of investment or spending decisions that make no sense.) Let’s call this “mismanagement.”
3. The risk that you’ll need expensive care.

The risk of expensive care is obviously important, but that’s not what I want to focus on today. (There are many articles discussing the pros and cons of long-term care insurance, budgeting to pay for care out of pocket, and so on.) Today I want to focus on those first two risks: fraud and mismanagement.

And as far as things we can do to minimize those risks, two of the most important categories of action steps are:

1. The health stuff. Exercise, proper diet, social contacts, mental stimulation, and (according to recent research) hearing aids for anybody with hearing loss can all reduce the probability of cognitive decline. So it’s hard to imagine any better action steps than those.
2. Estate planning. Please, get your basic estate planning documents in place if you haven’t yet done so. (Will, health care power of attorney, living will, financial power of attorney, and in some cases a trust.)

But I’m not a health care professional or an attorney, so those aren’t what I’ll be covering here either.

What follows is a CPA’s perspective on minimizing the financial risk of fraud or mismanagement due to cognitive decline.

Internal Controls/Oversight

Many people think of CPAs as “tax people.” And taxation is a major area of practice for CPAs. But another major area of CPA practice is audit, which can include developing or testing internal controls and oversight within an organization. (I promise this is relevant to personal financial planning and cognitive decline, so please stick with me.)

In case you haven’t encountered the term before, internal controls are policies implemented by an organization to try to provide assurance as to the effectiveness of the organization’s operations and compliance with the applicable laws and regulations.

For example, imagine a small business that has insufficient internal controls. The firm has one accountant, and that person has sole responsibility for paying bills and doing all of the bookkeeping. In such a scenario, the accountant could create his own external LLC, set it up within the firm’s accounting software as a vendor, send fake invoices from the LLC to his employer’s business, pay those invoices using the employer’s credit card or checking account, and record the expenses as if they were legitimate business costs. The accountant might be able to steal money from the employer every month, for years, with nobody noticing.

A common internal control that would prevent something like this is separation of duties. The business could set things up so that one employee has the ability to disburse funds (i.e., pay invoices) and a separate employee does the bookkeeping. In this way, if either of the two employees tried to perpetrate a fraud such as the one above, the other employee would likely catch it. Each person provides some oversight over the other.

Internal controls can be broadly grouped into two categories:

• Preventive controls (i.e., things that reduce the likelihood of fraud or mismanagement occurring), and
• Detective controls (i.e., things that detect fraud or mismanagement quickly if it occurs, so that it can at least be stopped going forward).

Application to Households

As we age, and the risk of cognitive decline increases, implementing various forms of internal controls within our own households can reduce the risk that we’ll be the victims of fraud or our own financial mismanagement.

I would encourage you to have controls in at least three categories:

1. Spending,
2. Investments, and
3. Information security.

I’ll provide some suggestions of such controls below. Some are preventive controls, and others are detective controls. And if you spend some time thinking creatively about it, I’m sure you could come up with a whole list of additional options. Most internal controls do come with a cost though, whether it’s time to implement them or a financial cost if you’re hiring a professional to help with the implementation. So you’ll need to make your own assessment to determine where your biggest risks are, which controls would be most effective, and which controls would have the best cost/benefit ratio.

Spending-Related Controls

A common practice is to go through the credit card statement(s) every month and look at every charge, confirming that it is money that you spent on purpose (i.e., it’s not a fraudulent charge, it’s not a subscription that you thought you canceled a year ago, etc.). That’s a great internal control. And I’d encourage you to do the same thing with the checking account(s).

At some point though, in order for this to be an effective control in the context of potential cognitive decline, this needs to become a multiple-person job, so that there is meaningful oversight. If you have a significant other, you both go through and look at every charge on the credit card. If you are single, I would encourage you to enlist a trusted family member or professional. And more specifically, for this to function as an effective internal control, we want two people who we believe are of sound mind to be able to explain any spending transaction. That means that, if at some point it becomes clear for a couple that only one person is of sound mind, then we need to enlist a third person. And for a single person, if that person is no longer of sound mind, then ideally we want two other people.

Example: for one reader of this blog, the clear “we have a problem” moment came from just such an exercise. She and her husband had agreed they would make a sizeable donation to one of their favorite charities. Later, when reviewing their credit card statement for the month, the donation was there as expected. But there was also an identical transaction a few days later. Apparently the husband had put the donation on his to-do list. He made the donation. And then he completely forgot that he had done it. So he did it again a few days later.

If you haven’t done it before, this may sound like a super labor-intensive job. In my experience, it’s not so bad. For our household, it’s usually less than 10 minutes per month.

If you’re super concerned though about it being too laborious, you could implement a dollar threshold: for example, checking all the transactions that are over $X.

A missing expense can also be important information (e.g., an annual insurance premium not being paid), though it’s much harder to notice. For this, a basic version of what accountants call “variance analysis” may be helpful. Essentially, if you compare the month in question to the previous month as well as to the same month from the previous year, are any big expenses missing? (For example, if you’re looking at February 2025, you’d compare to January 2025 as well as February 2024.)

Two last spending-related controls, both of which are easy to implement:

• Automate bill payment whenever possible. The fewer things you have to remember to do and the fewer the number of decisions you have to make, the less damaging it will be if things do start to go south from a cognitive function point of view.
• Pay with credit card rather than debit card. (It’s generally easier to get fraudulent credit card transactions reversed.)

Investment-Related Controls

Similar to the above two-person-review policy with spending, I’d encourage you at some point to implement the same periodic review policy for investment accounts. If any changes were made by anybody, why? Two parties, both of sound mind, should each be able to answer that question.

With respect to such a review policy, having a written investment policy statement (IPS) is helpful, as it gives you (and whoever else is involved) a clear metric against which actions can be judged. (“We have a plan. Was this action in keeping with the plan?”)

Simplification is also quite beneficial here. (And it’s a rare internal control that may have no cost at all!) The fewer the number of accounts, and the fewer the number of holdings within each account, the easier it is for you (and whoever else is on our multiple-person “investment oversight committee”) to keep tabs on everything.

Information-Related Controls

The IRS requires tax professionals to have a Written Information Security Plan (WISP), given that we are in possession of many people’s personal information. While you are probably not subject to any similar regulatory requirement, the principles are similar. Per IRS Publication 5708, a good information security plan should focus on three areas:

• Physical safeguards: keep your data safe from physical threats. (Examples: don’t use just a 4-digit passcode for your smart phone. And if you use your tablet or laptop in public places, set it to lock the screen after a very short delay.)
• Technical safeguards: ensure that your device(s) and network are not compromised. (Example: use complex passwords and multi-factor authentication, ideally via an authenticator app rather than SMS.)
• Administrative safeguards: manage and train your staff. (In this context, “staff” means household members. It’s important that you, and anybody else in your household, stay up to date on the latest fraud schemes. For example, in addition to being alert to phishing scams, you should be alert to pig-butchering scams and other forms of social engineering.)

Note that none of the above are specific to concerns about cognitive decline. They’re good policies regardless of circumstances. (Publication 5708 linked above also provides a sample information security plan if you want to take a look, though it would require some adaptation for a household context.)

Maximizing Policy Effectiveness

Any internal control policies should be written — ideally in a way that is explicit and concise, with a minimum of jargon. And these written policies need to be shared with anybody who is going to be involved with their implementation.

Controls also need to be reviewed and reassessed on a regular basis. Sometimes a well-intentioned control will turn out to have gaps that don’t become clear until it’s put into action. Sometimes controls need to be updated due to changes in technology. And we also need to check periodically that controls are actually being being implemented as designed. (If you have a policy to check over your spending every month with somebody, but you don’t actually do that, well then the policy isn’t doing much good.)

With respect to the entire area of cognitive decline, whenever a clear mistake or a dubious decision is made, we not only want to try to correct it if possible, we also want to keep records of it. If it becomes clear that questionable decisions are occurring more and more often, we want to see that pattern as early as possible, so we can take action as needed. As much as it doesn’t sound fun to keep records regarding our own potential mental decline, it’s better to know than to not know.

Relatedly, it’s likely a good idea to make sure that any financial professionals with whom you work (e.g., tax professional, financial planner, attorney) know of somebody (or ideally even a few people) to whom they can report when something seems “off” — and give them the authority to do that.

Sooner Rather Than Later

It’s easy to say, “well I’m obviously fine now, so I’ll worry about this later.” But we want to create these policies and put them into action at a time when you know that you are of sound mind. That’s the whole point. We don’t want somebody of questionable mental capacity to be charged with the jobs of creating and implementing important policies. If you’re of an age where potential cognitive decline is even on your radar at all, I think it’s a good idea to get started.