Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
The CEO's Guide to Reducing Fraud
By: Stephen King, CPA, CGMA
Implement the necessary steps to detect, reduce, and prevent fraud.
The CEO's Guide to Reducing Fraud2
Table of Contents
CHAPTER 1: Fraud Prevention 101.................................. 3
CHAPTER 2: The Six Most Common Fraud Scenarios in Small Businesses................................... 11
1: Cyber Threats - Whale Phishing & ACH Fraud
2: Billing Schemes
3: Check Tampering
4: Cash Skimming and Lapping
5: Payroll Fraud
6: Employee Expense Fraud
CHAPTER 3: Fraud Scenarios and How to Avoid Them...................................... 25
Scenario 1: Cyber Threats
Scenario 2: Billing Schemes
Scenario 3: Check Tampering
Scenario 4: Cash Skimming and Lapping
Scenario 5: Payroll Fraud
Scenario 6: Employee Expense Fraud
CHAPTER 4: How to Protect Your Business From Fraud...................................... 32
Perform a C.R.I.M.E. Assessment
Build a System of Internal Controls
Create Separation of Duties
Be Alert to Warning Signs in Employee Behavior
Partner with an Outsourcing Firm
ConclusionDEDICATIONTo my parents who knew twelve years of Catholic school would teach me wrongfrom right.
The CEO's Guide to Reducing Fraud3
CHAPTER 1 Fraud Prevention 101
Occupational Fraud.If you’re the CEO of a small business, these are the last words you want to hear in relation to your company.
In fact, just hearing them can be enough to keep you up at night.
Yet according to top occupational fraud experts, small businesses
experience more fraud and incur higher average losses than larger
companies. When you consider that the average fraud incident amounts
to $150,000,[1] it’s clear that you can’t leave your company unprotected
against this type of insidious crime.
Why are Small Businesses so Vulnerable? The single most important answer is that they lack internal controls.
Simply put, when one employee handles more than one function
in the chain of authorizing, performing, recording transactions and
reconciling the accounts, there’s the potential for fraud because
that person can hide inconsistencies and theft by falsifying data.
And since more than 90 percent of fraudsters are first-time
offenders, employers have no reason to suspect their employees of
criminal behavior until they somehow become aware of the fraud.
On average, that’s one and a half years later, when it’s too late to
recuperate any of the stolen funds.
Occupational fraud is pervasive and damaging, as you’ll learn in
the following pages. Over the years, we’ve heard horror stories of
employees stealing funds from customer payments, then fudging
their books to cover their tracks—with serious financial and credit-
related consequences for those customers, thousands of dollars in
losses for the employers, and significant damage to the companies’
reputations.$150,000$150,000The Average Fraud Incident Amounts to
The CEO's Guide to Reducing Fraud4
It’s not just that they possess fewer financial resources than medium-sized and large enterprises and are therefore less resilient.
Small businesses are built on the owner’s hard work, and there’s
usually a relationship of mutual trust between employer and
employees. Just imagine how devastating it is when that trust is broken
by a fraudster who, in the worst-case scenario, causes irreparable
financial and reputational damage to the company, drives it into
bankruptcy, and destroys the owner’s and employees’ source of
income. Moreover, when it comes to family-owned small businesses
that have been passed down from generation to generation,
occupational fraud can ruin entire legacies.
Fraud is Especially Damaging for Small Businesses.
Fraud is especially damaging for the small, family-owned business. It can cause irreparable financial and reputational damage, destroying not only everyone's source of income, but also their lives.
CHAPTER 1 Fraud Prevention 101
The CEO's Guide to Reducing Fraud5
Why? One reason is many CEOs of small businesses believe they’d feel it in their gut if something were amiss.
The statistics show the average occupational fraud case is active for
18 months before it’s detected. Just imagine the scope of the financial
and data losses that can occur in that time frame. And remember:
That’s the average for just one case. A company that doesn’t have
adequate internal controls in place can fall prey to multiple cases of
fraud at the same time or during overlapping periods of time.
Many nonprofit and religious organizations believe they’re
immune to fraud because they have strong core values. Certainly,
setting an ethical tone and promoting a strong corporate value system
is essential to preventing fraud. However, places of worship and
nonprofits are just as vulnerable to fraud as any small business.
In 2016, nonprofits and religious organizations experienced median
losses of $100,000 and $82,000 respectively per fraud incident.[2]
The latest statistics show that the average occupational fraud case has been active for
18 monthsbefore it's detected.
When it comes to occupational fraud, you must get out in front of it and protect your business before fraudsters have the chance to target you.
The sad reality is this happens more often than most small business owners realize. CHAPTER 1
Fraud Prevention 101
The CEO's Guide to Reducing Fraud6
The most fundamental way to reduce the risk of fraud is to set up internal controls. At the most basic level, that means job duties need to be separated. You
need to make sure you don’t have the same person doing any more than
one of these functions:
The following pages of this eBook outline step-by-step how you can
separate job duties in a small business with limited resources.
It’s important to understand that no system of internal controls can
completely eliminate the risk of fraud. All it can do is make it harder for
fraudsters to steal or increase the odds that they get caught quickly so
you reduce the risks to a minimum. If two employees are colluding, that’s
hard to spot. It’s not impossible; just harder.
1
2
3
Authorizing a transaction.
Recording that transaction.
Reconciling or checking the accounts.
No system of internal controls can completely eliminate the risk of fraud.Good internal controls can reduce the risk to a minimum. That's how you make it harder to steal and easier to uncover.
Implementing Internal ControlsCHAPTER 1
Fraud Prevention 101
The CEO's Guide to Reducing Fraud7
To significantly reduce the risk of fraud, you have to set the right tone at the top.
A CEO who rips off clients, cheats the IRS, and squeezes employees
as part of the company culture perpetuates a toxic environment that
breeds a dog eat dog mindset.
However, a CEO who has strong ethics and a commitment to best
practices has a lower risk of fraud.
One key best practice is never build a system of internal controls based
on trust. Don't let relationships with your staff affect best practice
implementation. This has nothing to do with trust, it's common sense.
Small business CEOs need to know their business is an easier
target for fraudsters than a larger one. There are various reasons
for this, the most important one is they don’t have the resources to
establish a system of internal controls. This can compromise even the
simplest of safeguards.
The strategic CEO views outsourcing as a way to reduce risk and gain
a competitive advantage. They see value in the peace of mind they get
from implementing systems and strategies designed to reduce risk.
Fraud Prevention Starts at the TopCHAPTER 1
Fraud Prevention 101
The CEO's Guide to Reducing Fraud8
In addition to lowering fraud risks, proper internal controls ensure the flow of data going into your accounting system is accurate, leading to better reporting.
When you set high financial control standards for your
business, you’ll also net high-quality information that you can
use to make informed decisions and take strategic action. That
alone makes it worth the investment.
Fraud Prevention Checklist for Your Small Business:
Does management set the right tone by setting the right example and enforcing a zero-tolerance policy?
Do your employees understand what constitutes fraud? Is it clearly defined in the employee manual?
Do employees believe they can speak freely when they suspect fraud is being committed?
Do they know where to go for advice? Do you have a way for employees to report potential fraud?
Are performance goals realistically attainable for your employees?
Are anonymous surveys conducted to assess morale?
Has a system of internal controls been put in place?
Fraud Prevention ChecklistCHAPTER 1
Fraud Prevention 101
The CEO's Guide to Reducing Fraud9
Statistics from a recently published report by the Association of Certified Fraud Examiners (ACFE) titled “Report to the Nations on Occupational Fraud and Abuse: 2016 Global Fraud Study” illustrate why occupational fraud poses such a significant threat to small businesses (those with fewer than 100 employees).
Fraud Scheme Rate, by Size of Victim Organization (1388 cases)Scheme, Median Loss <100 Employees 100+ EmployeesBilling, $100K 27.1% 20.9%Check Tampering, $158K 20.1% 8.4%Skimming, $53K 19.9% 8.9%Expense Reimbursement, $40K 16.7% 13.9%Non-Cash, $70K 18.8% 19.3%Cash on Hand, $25K 16.4% 10.3%Payroll, $90K 14.0% 6.3%Cash Larceny, $90K 13.5% 6.5%
Financial Statement Fraud, $975K 12.1% 8.8%
OF FRAUDSTERSARE FIRST-TIME OFFENDERS WITH CLEAN RECORDS
REPORTED CASES OF FRAUD TOOK APPROXIMATELY:
MONTHSBEFORE DETECTION18
76%WERE COMMITTED BY EMPLOYEES WORKING IN THE FOLLOWING SIX DEPARTMENTS:
ACCOUNTING, OPERATIONS, SALES, EXECUTIVE/UPPER MANAGEMENT, CUSTOMER SERVICES AND PURCHASING
OFCASES REPORTED
OF BUSINESSES NEVER RECOVER ANY FRAUD-RELATED LOSSES
40-60%
23%+FRAUD CASES EQUALED/EXCEEDED
$1MM IN LOSSES
THE TYPICAL SURVEYED ORGANIZATION LOST
5% OF ITS ANNUAL REVENUE TO FRAUD
AT A MEDIAN LOSS OF
$150,000PER CASE
ESTIMATED ANNUAL GLOBAL LOSS DUE TO FRAUD, BASED ON 2011 GWP
$3.7 TRILLION
Fraud FactsCHAPTER 1
Fraud Prevention 101
The CEO's Guide to Reducing Fraud10
The best way to catch fraud is to set up a hotline. Let everyone know "if they see something, say something."
Make sure it's a phone line that is monitored, and you establish follow-
up processes that ensure there’s a clear audit trail. Due to the complex
nature of this endeavor, it’s advisable to consider outsourcing your
hotline to a provider that offers multiple tip input avenues, multiple
languages, ethics and compliance advisory services.
Since the No.1 way fraudsters are caught is after a tip from an employee, we recommend setting up an anonymous fraud hotline.
Setting Up an Anonymous HotlineCHAPTER 1
Fraud Prevention 101
The CEO's Guide to Reducing Fraud11
This chapter reviews the six most common fraud scenarios in small businesses. Each section walks you through what it is, what it costs and how it happens. In chapter 3, we will show you how to avoid these fraud scenarios.
Fraudsters Go Phishing
Phishing is an attempt—usually via email—to acquire usernames, passwords, social security numbers, credit card details and other data by pretending to be a reliable, trusted contact.
Spear Phishing is a targeted type of phishing used by cybercriminals who want information about a specific company or individual. Recent research shows that spear phishing is the initial avenue of attack in almost 70 percent of data breaches.[4] In other words, human error is to blame for almost three quarters of all breaches!
Clone Phishing is a phishing technique in which a legitimate email with a link or attachment is duplicated to create an almost identical message. However, the criminals use a malicious attachment or link instead of the original one, and send the email from an address that’s almost, but not quite, the same as the originating address.
Whale Phishing or Whaling is a form of spear phishing that targets high-level managers and CEOs. Whaling emails are often disguised as communications from authorities or legal entities in order to scare recipients into taking action.
CHAPTER 2 Common Fraud Scenarios
The FBI's Internet Crime Complaint Center (IC3), reports that cyber theft is one of the fastest growing threats to small businesses. This is due to small businesses often not being able to afford top quality cybersecurity software nor having the resources to create and implement comprehensive cyber hygiene policies.
The CEO's Guide to Reducing Fraud12
CEO Email Scams Between October 2013 and February 2016, cybercriminals used CEO
email scams to net an estimated $2 billion from over 12,000 companies
located in 108 countries around the world. The criminals targeted
organizations of all sizes and according to law enforcement officials,
the threat continues to grow.[5]
When cybercriminals acquire sufficient data to create an email that
for all intents and purposes looks like it’s been sent by a CEO of a
company, they approach someone in that company with a request for
the transfer of funds for business purposes. And this is where things
can get confusing.
Email programs allow account holders to enter their names along with
their email addresses. Every time an account holder sends an email,
his or her name appears in the “from” field in the recipient’s inbox—
but the actual email address doesn’t!
The only way you can see a sender’s actual email address is by either
mousing over the name or by looking at the email header in the
original message.
[
For example:Let’s say John Smith is the CEO of Acme, Inc. He sets up a corporate email account listing his name as John Smith and his email address as [email protected].
If a cybercriminal wants to impersonate him, he can set up a spoof email account, list his name as John Smith and his address as [email protected] or something similar so that even if a recipient checks the return address, it might not be flagged as irregular.
[Whale Phishing is frequently used as a basis for so-called CEO email scams.
Scenario 1: Cyber ThreatsCHAPTER 2
Common Fraud Scenarios
The CEO's Guide to Reducing Fraud13
Whale Phishing In June 2017, a bookkeeper received an email from the CEO of a small business requesting a wire transfer. There appeared to be absolutely nothing irregular about the email. It had the CEO’s normal signature file, complete with the CEO’s picture, company logo, social media links and website address. Obviously, the bookkeeper had no reason to suspect there was anything wrong.
He needed to confirm some additional details before authorizing the wire transfer. The scary thing was that when he hit reply, the return contact information looked identical to that on the CEO’s actual email account. Then, when the cybercriminal emailed back, there wasn’t anything about the email’s appearance that suggested it wasn’t from the CEO in question.
Fortunately, there was something about the content of the email that prompted the bookkeeper to flag it and call the client. The CEO was completely unaware of the email and was shocked to learn he’d been targeted by cybercriminals.
Upon closer inspection, the only way to detect that the email was fraudulent was to mouse over the CEO’s name in the “to” field in the email header. This revealed the return address—which wasn’t the CEO’s! Instead, it was a spoof email address that was later traced back to the U.K.
If you think you’ve received an email that contains malware, check this:
Check the company name to see if it’s really from a company you’re affiliated with.
Check the “from” field in the email to see if you recognize the sender’s address. If you’re not sure whether it’s valid, send a new email—not a reply—to the contact to ask if he or she emailed you.
Put your mouse over the hyperlink in the body of the email to reveal the actual URL—but don’t click on the link!
If the URL doesn’t look valid, examine the signature at the bottom of the email for any red flags, for example, a company website URL that doesn’t work.
You can do these checks in a minute or so, and if the email is fake, you’ll see multiple areas that don’t add up.
Scenario 1: Cyber ThreatsCHAPTER 2
Common Fraud Scenarios
The CEO's Guide to Reducing Fraud14
ACH Fraud Cybercriminals also employ phishing to steal data for Automated
Clearing House (ACH) fraud.
Financial institutions use the ACH Network to process financial
transactions between individuals and companies including checks,
direct deposits, bill payments and cash transfers. According to
estimates from the FBI and industry experts, losses due to ACH fraud
amounted to $1 billion worldwide in 2016—and that number is
expected to rise.[6]
Only two pieces of information are needed to successfully commit
ACH fraud: a bank routing number and a checking account
number. Cybercriminals typically use spear phishing emails to install
key-logging software on victims’ computers, which enables them to
steal the login credentials for those victims’ bank accounts.
It’s important to understand that the processes for disputing
unauthorized—and therefore possibly fraudulent—transactions
are different for consumers and businesses. In a consumer’s bank
account, an unauthorized transaction may be returned within 60 days.
Business account holders, however, are required to notify their banks within 24 hours after an unauthorized transaction has been
posted! Those that don’t alert their banks within this time period are
liable for the unauthorized transaction themselves. That’s why it’s
crucial to automate the download of your bank activity and keep track
of the ACH transactions on your business account every single day.
Unlike private consumers who have 60 days to dispute unauthorized bank transactions, business account holders are required by law to notify their banks within 24 hours of an unauthorized transaction being posted! That’s why automated downloading of the ACH transactions into your accounting system is crucial.
Scenario 1: Cyber ThreatsCHAPTER 2
Common Fraud Scenarios
The CEO's Guide to Reducing Fraud15
Billing Fraud The most frequently occurring type of fraud in small businesses is
billing fraud, which amounts to 27.1 percent of all cases.
Billing fraud occurs when an employee creates fake invoices
or inflates existing invoices and submits them to the employer
for payment. This can be done by sending invoices from a fictitious
company, submitting invoices for personal items, or making multiple
payments to a current vendor by submitting invoices without dates.
On average, a billing scheme lasts 24 months before it’s detected, and the median losses amount to $100,000 per case.[7]
Scenario 2: Billing SchemesCHAPTER 2
Common Fraud Scenarios
The CEO's Guide to Reducing Fraud16
Multiple InvoicesA nonprofit organization had outsourced its CFO position. As specified
in the statement of work, the CFO of the outsourced service provider
would invoice the nonprofit on a monthly basis.
From the start, the CFO did not include a time period on the invoice, so
it wasn’t clear to the Executive Director of the nonprofit exactly what he
was paying for.
Over time, the CFO gradually shortened the time between the
invoices. Eventually, he was submitting an invoice once every three
weeks instead of once a month—effectively charging the nonprofit
approximately 25 percent more than agreed.
Scenario 2: Billing SchemesCHAPTER 2
Common Fraud Scenarios
The CEO's Guide to Reducing Fraud17
Check tampering occurs when an employee steals, alters, or forges a check that’s payable from the employer’s business account.
It amounts to 20.1 percent of fraud cases in small businesses compared to only 8.4 percent in larger businesses. The median
amount lost per case is $158,000.[8]
There are several methods of check tampering. On altered checks, the name of the payee is changed to that of the fraudster, who then misappropriates the funds. On forged checks, the signature of the authorized signer or payee endorsement is forged.
Concealed checks are fraudulent checks that are submitted in a batch so the authorized signer doesn’t notice any irregularity and signs anyway. Finally, in what’s known as an “authorized maker” scheme, a fraudster is authorized to sign checks for the company. When he or she also has access to the company’s checks, misappropriating funds is simple.
Scenario 3: Check TamperingCHAPTER 2
Common Fraud Scenarios
The CEO's Guide to Reducing Fraud18
Authorized MakerAn IT company had a bookkeeper whose husband lost his job. This
landed the couple in a short-term cash crunch, and they were unable
to pay their AT&T phone bill. The bookkeeper was authorized to write
checks on her employer’s behalf, so it was easy to write out a check to
the phone company and code it to telephone expenses in the books.
Fortunately, our second set of eyes realized the expense was higher
than usual; plus, AT&T wasn’t the client’s telephone vendor. We called
AT&T to determine what account the payment was for. Of course, this
immediately revealed that the bookkeeper had used company funds for
her own purposes. She was immediately escorted out of the building,
and the client had the locks to the premises changed.
Scenario 3: Check TamperingCHAPTER 2
Common Fraud Scenarios
The CEO's Guide to Reducing Fraud19
When your business accepts cash payments, you’re at risk for skimming and lapping schemes. Skimming is responsible for 11.9 percent of fraud cases involving small businesses, and on average, results in $53,000 in losses per case.[9]
Skimming occurs when an employee receives a cash payment from a customer and misappropriates the money before it’s entered into the books. Skimming can look like customer theft or inventory error until a fraudster gets confident and starts pocketing more and more cash.
In a more complicated form of skimming, the employee tries to conceal the theft by either deleting the paid invoice or falsifying a credit memo, or bad debt entry, and applying it to the customer’s balance so the account doesn’t get flagged as past due.
Lapping is different from skimming in that the employee does make a record of the cash payment but instead of depositing it appropriately, takes the money for personal use. Then the employee hides the theft by applying the next payment to the customer’s account. When nobody detects it the first time, it’s easy for the fraudster to become more confident and expand the scheme.
While both skimming and lapping involve the misappropriation of cash, there's a slight difference.
Scenario 4: Skimming SchemesCHAPTER 2
Common Fraud Scenarios
The CEO's Guide to Reducing Fraud20
Cash SkimmingA doctor had a practice where patients were expected to pay their
bills at the front desk after seeing the doctor. There were never any
problems with this because the billing clerk had great people skills and
the patients liked her.
When the billing clerk went on vacation, another employee temporarily
took over her duties. On the very first day, a patient came in and was
ready to pay in cash. The employee explained to her that the practice
never accepted cash and asked her to pay by debit or credit.
The patient was upset. She said she always paid in cash because
she wanted the 10% discount. Of course, the employee immediately
suspected something was amiss and reported the issue. It turned out
that for months, the billing clerk had been offering discounts for cash
payments—and subsequently pocketing the cash.
Scenario 4: Skimming SchemesCHAPTER 2
Common Fraud Scenarios
The CEO's Guide to Reducing Fraud21
Payroll fraud occurs when an employee submits false time to receive additional payments from their employer.
While payroll fraud only accounts for 8.5 percent of cases, the median
loss per case amounts to $90,000.[10] Because the amounts are so
great, payroll fraud warrants special attention. Again, the fact that small
businesses typically lack internal controls makes them an easy target.
There are various ways employees commit payroll fraud. For
example, a fraudster may increase the number of hours or overtime
worked on their timesheet. An employee who has access to payroll
can inflate their wages or issue salaries to so-called ghost employees:
company employees who only exist on paper.
It may be a red flag if an in-house bookkeeper insists on doing payroll.
It doesn't make sense for a bookkeeper to control this function since
outsourcing payroll costs less and reduces fraud.
The fact that small businesses typically lack internal controls makes them easy targets for payroll fraud for which the median loss per case amounts to $90,000.
Scenario 5: Payroll FraudCHAPTER 2
Common Fraud Scenarios
The CEO's Guide to Reducing Fraud22
Payroll ManipulationAn interior designer had a bookkeeper who “did everything.” And it was precisely because he wore all the hats in the accounting department that he found a way to steal without getting caught.
The bookkeeper had editing rights to the "year-to-date payroll changes" inside QuickBooks™. That meant he could change the amount shown as his payroll tax withholdings to an amount that was higher than what was actually withheld. The extra was then paid by the company through a higher payroll tax deposit.
Because payroll tax withholdings are the amount an employer withheld and remits to the IRS on behalf of each employee, and that amount differs per employee, it wasn’t difficult to conceal the additional funds.
After padding the amount of taxes deposited, the bookkeeping altered his tax withholdings on his W-2 and changed the payroll tax return. And that meant that at the end of the fiscal year, he could claim a higher tax refund.
Because the bookkeeper did everything, the CEO would never have detected the theft unless someone reviewed the payroll tax adjustments. Fortunately, the client brought our team in, and we were able to uncover the payroll fraud. You should not handle payroll in-house. The risk is great and the cost to outsource it is very low.
Scenario 5: Payroll FraudCHAPTER 2
Common Fraud Scenarios
The CEO's Guide to Reducing Fraud23
Employee expense schemes account for 14.7 percent of fraud cases and result in approximately $40,000 in losses per case. Expense reimbursement fraud occurs when an employee submits a
false or inflated expense report to the employer and receives financial
reimbursement accordingly.
In general, there are four types of expense reimbursement fraud:
Mischaracterized expenses are personal expenses that the employee submits as business expenses. For example when a fraudster takes her family out to dinner and submits the receipt as a business expense. The employer reimburses the fraudster, whose family dinner has now been paid for by the company.
Overstated expenses are expense reports that are adjusted up by the administrative assistant tasked with processing expense reports. For example, an employee requests reimbursement for a $100 business lunch. The administrative assistant changes the dollar amount to $150, issues $100 to the employee and pockets the additional $50 themselves.
Fictitious expenses simply involve submitting expense reports for business expenses never made.
Multiple expenses: A fraudster can also submit an expense report multiple times if they have multiple receipts. For example, the employee could request reimbursement for a hotel stay by submitting the receipt, and then request reimbursement for the same expense again a few weeks later by submitting a copy of their credit card statement.
Use software such as Expensify™ or Insperity® ExpensAble® to automate and streamline your expense reporting process.
Scenario 6: Employee Expense FraudCHAPTER 2
Common Fraud Scenarios
The CEO's Guide to Reducing Fraud24
Fake ExpensesThe Executive Director of a nonprofit handled the organization’s
accounting himself. He submitted reimbursable expenses and issued
payments to himself from the organization’s bank account.
However, once we stepped in, our team realized that he hadn’t
submitted any receipts or any other kinds of proof to substantiate his
reimbursement requests.
We looked into it, and it turned out that he was reimbursing himself for
personal expenses.
Scenario 6: Employee Expense FraudCHAPTER 2
Common Fraud Scenarios
The CEO's Guide to Reducing Fraud25
Protecting your company against cyber threats requires a three-
pronged approach.
First and foremost, you need to make sure your employees know
what phishing scams are and how to identify them. Instruct them in
cyber hygiene best practices, such as always verifying return addresses
before responding to emails involving money and never clicking on
links or downloading attachments from unverified sources. Any request
to transfer funds should require a text confirmation (or some form of
double authentication).
Second, invest in anti-malware that flags phishing scams. This
prevents your network from connecting to malicious websites, plus,
it isolates and disables any malware contained in phishing emails. It’s
basically a fail-safe that protects your network in case of human error.
Some of the best anti-malware apps include Bitdefender Antivirus and
Malwarebytes Anti-Malware, and they both have versions for PCs, Mac,
and Android. And while it won’t prevent malware from installing on your
device, Emsisoft Emergency Kit is a good clean-up tool that quarantines
known threats. It is another good place to outsource.
Third, don't assume emails are legitimate. When you receive
a request that involves a funds transfer, always call the person
authorizing that transaction and get verbal confirmation. You can also
set up a two-step authentication process that requires text approval, as
texts are almost impossible to steal, or a secret passcode to be sent via
text message.
Scenario 1: Cyber Threats
CHAPTER 3 Fraud Scenarios and How to Avoid Them
The CEO's Guide to Reducing Fraud26
The best way to prevent billing fraud is to separate the billing and bookkeeping functions. The employee who’s writing the checks shouldn’t also be reconciling your bank accounts. This is crucial to reducing fraud! If separation of duties isn’t feasible, outsource your bank
reconciliation functions.
Use purchase orders, or otherwise separate payment approval on
invoices before going to the bookkeeper. Separate AP, check writing
and authorization into three duties that are assigned to three
different employees. You should also separate approving, entering
and reconciling the bank account into three different functions
assigned to three different people.
Always pay based on an invoice (the original bill), never from a
statement, and verify time periods so you’re not being billed multiple
times for the same services or time period. Invoices need to show the
period of time served so they don’t overlap. Enter the invoice number
into QuickBooks™, since it will give you an alert if it’s a duplicate.
Invoices without numbers should be entered by date so you can always
go back and check the payments.
A fraudster using a vendor billing scheme first changes the payee on
the check to his or her own name and then, once the payment has
been made, revises it back to the vendor. That’s why you need to assign
one person to pay the bills and another employee to do the bank
reconciliations.
The employee handling reconciliations should request check images
from the bank, and with the payee field turned on, match the payee
on the check to the name listed on the payee screen. The name of the
payee has to be on the approved vendor list. QuickBooks™ Enterprise allows you to separate functions by
user and can be integrated with Bill.com™, which enables you to
separate bill approval from bill processing and create a scanned
image of each receipt.
Scenario 1: Bill Payment SchemesCHAPTER 3
Fraud Scenarios & How to Avoid Them
The CEO's Guide to Reducing Fraud27
If you're still using checks, stop! Use automated bill payment software such as Bill.com to reduce costs,
lower risk, and increase financial intelligence. Learn to Automate
Small Business Bookkeeping with Bill.com.
The built-in controls of automated bill payment provides protection
from fraud. Employees see only the information they need to complete
their part in the online bill paying process. With less employee access
and interaction in the bill payment, there’s less opportunity for internal
tampering with company funds. In addition to automated bill
payment, you should also implement the following best practices:
• Attach scanned images to each transaction
• Set up your bank account(s) to download all transactions daily
• Make sure that the payees on your bank statements are approved
and they are the same as those in your accounting system
• Never allow an employee who writes checks or has data entry access
to reconcile bank statements
If you must use checks, store them in a secure place only you can
access. Separate duties so either you--the owner--or a manager
reviews unopened bank statements and canceled checks.
Separate check cutting and preparation from check signing. It’s best
if the owner signs all the checks. You need to review each one before
signing to ensure an employee doesn’t give you a fraudulent check.
Make sure that signed checks are mailed out immediately. This
reduces the chances they can be altered after signing.
In addition, you should rotate employee responsibilities and hold
surprise audits. If there’s a changed payee, review the audit trail
for any red flags. If you’re billed for unexpected expenses, review
the proposed budget and compare it to the actual report. Finally,
remember to set up positive pay and ACH filters with your bank.
Open MailDelete Bills/Issue Vendor CreditsCreate New VendorsReview Bank StatementsReconcile Bank AccountsCreate Credit MemosApply Payments in Accounting System
If one person: They should NOT:
Create InvoicesEnters BillsPays/Approves Bills
Separation of Duties Chart
Bill Payment
Scenario 2: Check TamperingCHAPTER 3
Fraud Scenarios & How to Avoid Them
The CEO's Guide to Reducing Fraud28
It's best to eliminate cash payments as much as possible, since that makes cash skimming and lapping impossible.
Accepting ACH, EFT and credit card payments is a much safer option.
However, if you need to accept cash, use a lock box service to receive
it safely, and require daily bank deposits since that will bring any
discrepancies to light.
Separation of duties is again, key. Issuing receipts and deposits should
be separated, as should receiving cash and posting to accounts.
Posting to accounts receivable and receiving cash receipts should also
be segregated. Be sure to cross-train your staff and assign tasks on a
rotating schedule to ensure no single employee is always in control of
receiving cash.
If you don't outsource or you don't have the staff to get separation
of duties, create memorized reports of credit memos and postings to
bad debt accounts. Require supervisory approval for AR write-offs and
customer credit. Review the audit trail report for suspicious activity.
Record PaymentsCreate InvoicesCreate Credit Memos Delete InvoicesMake Bank Deposits
If one person: They should NOT:
Physically Receives Payments
Separation of Duties Chart
Collections
Scenario 3: Cash SchemesCHAPTER 3
Fraud Scenarios & How to Avoid Them
The CEO's Guide to Reducing Fraud29
Because payroll fraud is so difficult to detect, you should outsource the payroll function, and require owner or senior manager approval on any payroll changes.
For anything you don't outsource, adhere to separation of duties
for creating, reviewing, approving and signing payroll entries. You
should also separate payroll processing from bank reconciliation
and set up user rights to restrict the ability to edit and authorize
payroll transactions. For added security, set up Positive Pay and
an ACH filter with your bank. In addition, regularly review payroll
change reports and, at the end of the year, review gross wages on
W-2s. Finally, encourage employees to agree to direct deposit or pay
cards and perform background checks before hiring new people.
Note that the reason the vast majority of companies outsource payroll
is that the cost of a payroll provider is usually less than the cost of
doing it in-house. If your office manager insists on preparing payroll,
it should be a red flag. Why would they want to do payroll—and add to
their duties—when their time could be better used and it costs so little to
use a third party?
Open MailSetup New EmployeesAdjust Payroll RecordsPrepare Payroll Tax ReturnsReconcile Bank Accounts
If one person: They should NOT:
Processes Payroll
Separation of Duties Chart
Payroll
Scenario 4: Payroll FraudCHAPTER 3
Fraud Scenarios & How to Avoid Them
The CEO's Guide to Reducing Fraud30
Use an app and make it easy to reduce employee expense fraud.One payment needs to have one receipt. There are various apps that
can capture images of paper receipts and/or credit card payments and
send them straight to your books. This eliminates the possibility of
providing handwritten expense reports without any receipts to back up
the claims.
Two of the best expense management apps available are Expensify™
and Insperity® ExpensAble® which offer secure, streamlined expense
reporting capabilities for smartphones and can be integrated with
QuickBooks™. The app sends financial data to the general ledger, which
speeds up the approval and employee reimbursement process, while at
the same time making it harder to submit duplicate reimbursement
claims. It also requires payer approval, as well as the ability to have two
authorized electronic approvals, which further reduces the risk of
fraud.
Scenario 5: Employee Expense FraudCHAPTER 3
Fraud Scenarios & How to Avoid Them
The CEO's Guide to Reducing Fraud31
QuickBooks™ has a "Prior Period" feature that helps maintain the
integrity of prior periods so they can’t be adjusted. Unauthorized
changes to prior periods can cause faulty decision making because
they affect financial statements and reports. Moreover, they can be
used to conceal fraudulent activity.
Because QuickBooks™ posts transactions based on their transaction
date and doesn’t maintain a traditional period-based closing, you can
use a Closing Date Exception Report as a highly effective control
procedure to ensure prior periods have not been altered.
Make sure your employees’ user rights are restricted so they don’t
have access to functions that should be separated. In accounting
preferences, set a closing date password and use the “Closed Period”
report under Accountant and Taxes.
Prior Period FraudYou will have to set a closing date every month to activate this
report. Just pick a date, say the 15th of every month, and lock down the
prior period. That will limit the ability to bury a transaction in the past.
Set up the CPA as an “accountant” user type. Make sure the CPA
reconciles the Equity account.
Approve Expense ReportsReview the Bank StatementReconcile the Bank Account
If one person: They should NOT:
Pays Expense Reports
Separation of Duties Chart
Expense Management
Scenario 5: Employee Expense Fraud ( Cont.)
CHAPTER 3 Fraud Scenarios & How to Avoid Them
The CEO's Guide to Reducing Fraud32
Perform a C.R.I.M.E Assessment
Before doing anything else, you need to gain an understanding of how
your company’s structure, policies and procedures impact your level of
risk. You can do this using the C.R.I.M.E. Assessment.
When you take the time to objectively and comprehensively perform
the assessment, you’ll gain many valuable insights into your company’s
strengths, and whether you like it or not, its vulnerabilities. Although
the results can be disappointing, you absolutely need to study them
and create a strategy to eliminate any weaknesses. At the same time,
you should establish a system that facilitates oversight and promotes
transparency.
Understanding Your Level of Risk
Control ActivitiesC
Risk AssessmentR
Information systems and communicationI
MonitoringM
Control EnvironmentEThe C.R.I.M.E. Assessment was developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)[11]
Is there proper separation of duties? Is there a review and approval process for invoices, estimates, purchases, etc? Is the computer safeguarded? Do you have a backup if the system fails?
Does the entity know what its risk tolerances are and what areas have the highest risk arising from both internal and external sources?
Are there proper controls for computer processing? Have you established clear lines of communications with vendors and customers regarding policies for billing and collections?
Is there a review of the internal control activities to ensure they are being set up as specified? Is there documentation of the internal controls to allow for independent review?
Is there a code of conduct? Do conflict of interest, acceptance of gift, and other related policies exist? What is the tone from the top? Does management encourage compliance with control activities?
CHAPTER 4 How to Protect Your Business from Fraud
The CEO's Guide to Reducing Fraud33
Control activities are the policies and procedures that ensure
management directives are carried out. They usually involve two
elements:
A policy that prescribes what should be done
The procedure to implement the policy
You shouldn't build a business on “tribal knowledge.” A well run
company will handle transactions consistently both across employees
and over time. You need your company’s policies and procedures
in writing because, without documentation, it’s difficult to train new
employees on how transactions should be initiated, approved and
recorded. Subpar employee training results in high error rates,
incorrect financial statements, and a need for increased supervision.
Procedure manuals are a great value-added service both for new hire
training and future employee reference.
The most critical concept in electronic data security is to restrict access to your company’s sensitive data through the effective use of usernames and passwords. In order to keep track of who does what in your accounting system, be sure to:
Assign each user a unique, private username and password known only to him or her.
Set up separate accounts for “owner”, “office manager” and "CPA".
Don’t let employees log in and enter transactions as “administrator.”
Establish Usernames & Passwords to Protect Sensitive Data
Internal controls can reduce the risk of fraud and help your company get to the next level.
Revise Policies and Procedures
Build a System of Internal ControlsCHAPTER 4
How to Protect Your Business from Fraud
The CEO's Guide to Reducing Fraud34
In the previous chapter, we discussed fraud scenarios that were
possible because one employee performed two or more functions that
need to be separated (approval, recording and reconciling) in the three
primary accounting functions of AP, AR and payroll.
The principle of separation (or segregation) of duties is the cornerstone
of a solid internal control system. In fraud prevention, separation
of duties involves dividing the critical duties into the three primary
accounting and bookkeeping functions between two or more
employees or departments.
Why is this so important? Well, let’s take the example of the billing
clerk and her cash skimming scheme. If the office manager had been
in charge of billing and recording accounts receivable, they would
have noticed how many patient accounts had credit memos or were
in arrears much sooner—and the financial damage to the doctor’s
practice would have been dramatically lower.
2 Person Office
Business Manager Mail checks
Write checks
Approve payroll
Record accounts receivable
Receive cash
Authorize purchases
Authorize check requests
Authorize invoices for payment
Record general ledger entries
Owner/Manager Sign checks
Reconcile bank statements
Sign employee contracts
Distribute payroll
Process vendor invoices
Complete deposit slips & make deposit
Reconcile petty cash
Perform bank transfers
Receive, open and review bank statements
Cornerstone of a Solid System
How to Separate DutiesCHAPTER 4
How to Protect Your Business from Fraud
The CEO's Guide to Reducing Fraud35
4 Person Office
Bookkeeper Record accounts receivable
Reconcile petty cash
Write checks
Record general ledger entries
Process vendor Invoices
Make deposits
Clerk Distribute payroll
Receive cash
Disburse petty cash
Authorize purchases
Authorize check requests
Mail checks
Office/Manager Complete deposit slips
Approve invoices
Approve payroll
3 Person Office
Bookkeeper Record accounts receivable
Reconcile petty cash
Write checks
Record general ledger entries
Process vendor Invoices
Make deposits
Office Manager Mail checks
Reconcile bank statements
Disburse petty cash
Approve invoices
Authorize purchases
Approve payroll
Receive cash
Distribute payroll
Approve time sheets
Owner/Manager Sign checks
Complete deposit slips
Perform bank transfers
Sign employee contracts
Receive, open and review bank statements
Owner/Manager Sign checks
Sign employee contracts
Approve time sheets
Perform bank transfers
Receive, open and review bank statements
Create Separation of DutiesCHAPTER 4
How to Protect Your Business from Fraud
The CEO's Guide to Reducing Fraud36
Be Alert to Warning Signs in Employee Behavior
While all the examples in this eBook were detected based on data,
it’s important to remember the human factor in fraud. Fraudulent
acts can be triggered by external factors in an employee’s life, such
as personal debt and other financial pressures due to medical bills, a
spouse losing a job, or an ailing parent moving in. There can also be
other factors, such as drug or alcohol use, gambling or an inability to
curb spending.
These issues can, in some cases, be accompanied by a change in
behavior. Sometimes an employee becomes disorganized, dissatisfied
or withdrawn. In some cases, employees suddenly start making a lot of
personal calls.
It’s important to keep in mind that behavioral changes can occur for all
sorts of reasons, and the chances they’re linked to fraudulent behavior
are small.
Look for warning signs of their
misdeeds: Fraud lasts for months
before the fraudster is caught - early
detection can have a big effect on
limiting loss.
Are any of your employees:
• Living beyond one's means
• Experiencing financial difficulties
• Exhibiting control Issues
Warning Signs in Employee BehaviorCHAPTER 4
How to Protect Your Business from Fraud
The CEO's Guide to Reducing Fraud37
Leverage OutsourcingOne of the most effective ways to reduce your risk of fraud is to
outsource your bookkeeping, accounting and control functions
to an experienced provider. This eliminates the risks associated
with a lack of internal controls and ensures that every transaction is
checked for accuracy.
Companies like GrowthForce, possess decades of experience and
have the expertise to flag and follow up on irregularities as soon as
they arise.
The truth is that the more people you have overseeing your books,
the less attractive your company becomes as a target for fraudsters.
So in addition to providing a significant amount of protection,
outsourcing also gives you peace of mind.
Benefits of Outsourcing
Better Financial IntelligenceTimely, accurate financial reports that help you better understand
your business, enabling you to make more informed decisions for
profitability and growth.
Peace of MindConfidence in the accuracy and quality of your financial information
A second set of eyes and documented policies and procedures,
helping to reduce the risk of fraud
More Time
Focus on what's important in your business
Credit checks
Detailed budgets
Exception reports
After-the-fact review of transactions and reports by owners or managers
Job rotation
Mandatory vacations
Physical safeguards
Employment verification
Background checks
If outsourcing isn’t an option, use other compensating control measures, such as:
Partner with an Outsourcing FirmCHAPTER 4
How to Protect Your Business from Fraud
The CEO's Guide to Reducing Fraud38
Conclusion
Now you should have a good understanding of how pervasive and damaging occupational fraud can be to small businesses.
Whether it’s cyber fraud, a billing scheme, check tampering, cash
skimming, payroll, or expense reimbursement fraud, no amount of
“gut feeling” or trust between employer and employees is a safeguard
against this type of insidious crime. Think about it: The average fraud
incident costs a company $150,000. Would your company be able to
handle a financial hit of that size—or a bigger one? And what about the
damage to your brand’s reputation?
Knowing this, it should be abundantly clear that fraud prevention is
one of the wisest investments of any CEO’s time and energy. As we’ve
explained, you need to objectively assess your risk, implement a system
of internal controls, separate accounting and bookkeeping duties,
establish an anonymous fraud hotline and leverage outsourcing to your
advantage.
If you follow some—or better yet, all—of our suggestions, you stand a
good chance of minimizing the risk to your business. And in the long
run, making an ongoing commitment to prevent fraud at every level of
your company can make all the difference in the world for a business
that’s thriving and poised for growth.
The average fraud incident costs a company $150,000. Would your company be able to handle a financial hit of that size — or a bigger one? And what about the damage to your brand's reputation?
The CEO's Guide to Reducing Fraud39
Sources
[1] Report to the Nations on Occupational Fraud and Abuse: 2016 Global Fraud Study
[2] Report to the Nations on Occupational Fraud and Abuse: 2016 Global Fraud Study
[3] https://www.ic3.gov/default.aspx
[4] http://searchcompliance.techtarget.com/feature/Verizon-Human-error-still-among-the-top-data-security-threats
[5] https://www.ft.com/content/83b4e9be-db16-11e5-a72f-1e7744c66818?mhq5j=e3
[6] http://frankonfraud.com/fraud-reporting/top-10-fraud-losses-for-2016-and-where-they-are-headed-now/
[7] Report to the Nations on Occupational Fraud and Abuse: 2016 Global Fraud Study
[8] Report to the Nations on Occupational Fraud and Abuse: 2016 Global Fraud Study
[9] Report to the Nations on Occupational Fraud and Abuse: 2016 Global Fraud Study
[10] Report to the Nations on Occupational Fraud and Abuse: 2016 Global Fraud Study
[11] Internal Control and Enterprise Risk Management Framework, © 2013 Internal Control – Integrated Framework
(“ICIF”) and 2004 Enterprise Risk Management Framework. Committee of Sponsoring Organizations of the Treadway
Commission (COSO). All rights reserved. Used with permission.
GrowthForce provides outsourced bookkeeping, management accounting and controller services for growing
businesses and nonprofits. GrowthForce combines advanced QuickBooks™ accounting system design
with a fractional share of a full service accounting department including a U.S. based, dedicated team of
bookkeepers, accountants and controllers. Our team approach gives a second set of eyes and documented
policies and procedures, helping to reduce the risk of fraud. Our customized financial reporting and KPIs help
small businesses and organizations drive performance and profitability through data-driven decisions.
To view our full library of case studies, whitepapers, and ebooks,
please visit www.growthforce.com/resources.
www.growthforce.com
281.358.2007
800 Rockmead Drive, Suite 200 Kingwood, TX 77339
@GrowthForce
About GrowthForce
GRO_033_OFF_V4
GrowthForce is not a CPA firm.
GrowthForce accounting services provided through an alliance with SK CPA, PLLC.
© 2017 GrowthForce, LLC
+1 212 810 9009www.tmaginc.com