Business leaders spend most of their time and energy assessing risks and weighing them against possible rewards. Unfortunately, many leaders overlook one of the most common challenges facing businesses today — the risk of occupational fraud. To build a successful business that stands above its competition, you need a solid foundation of controls to deter schemes that can misappropriate critical resources.
The median loss to occupational fraud for U.S. businesses is $108,000, according to the Association of Certified Fraud Examiners’ 2018 Report to the Nations (ACFE report). Worldwide, small businesses lose almost twice as much ($200,000) as large businesses ($104,000) per fraud.
With so much at stake, how can your business identify and reduce the risk of an occupational fraud scheme? For starters, answer these five questions.
1. Do we effectively segregate duties and oversee employees who manage the receipt of funds?
It’s very hard to detect the theft of funds that you don’t know you have. The risk at this stage is that an employee can somehow divert money before it is recorded and tracked in your books.
How to mitigate the risk: The old standby of segregation of duties remains the most effective type of control. An accounts receivable function should include several individuals:
- One person who documents the receipt of a payment.
- A separate person who handles the deposit of any “hard” payments, such as checks and cash, into the bank.
- Another person who records the receipt in the company’s accounting system.
- Ideally, a fourth person who hasn’t participated up to this point would perform the reconciliation of the bank accounts, monitor receivables, and check with customers if an expected payment is overdue.
2. Do we effectively segregate duties and oversee employees responsible for the disbursement of funds?
Check and payment tampering has the highest median loss ($150,000) of the asset misappropriation schemes (ACFE “2018 Report to the Nations”). The more disbursement responsibility is concentrated in one person, the greater the risk of fraud. One common scheme is when an employee creates a phony vendor to the authorized vendor list either directly themselves or indirectly by manipulation, and that vendor then submits what appear to be legitimate invoices. The perpetrator is then in the position to see the phony invoice and approve it either themselves or indirectly as manipulation.
How to mitigate the risk: Once again, a multi-person process is the best form of prevention. The accounts payable function should include:
- One person who oversees the authorization of vendors/payees and the entry of those businesses into the accounting system.
- One person who reviews the invoices, verifies the existence of the vendor in the system, prepares the payment (or refers a bill from a new vendor to the person who manages that step), and records the transaction in the accounting system.
- An executive who authorizes the payment, either by signing a paper check or entering approval into an electronic payment system.
3. Does our system protect against the alteration of transaction information?
A basic example of an “altered information” scheme involves a pile of checks to sign, handed to a harried boss by an employee who has included a check made out to himself or herself. If that employee has administrative access to the accounting software, they could go back in and change the payee in the system so it looks like the check was issued to an approved vendor.
How to mitigate the risk: The goal is to establish systems and processes that make such alteration as difficult as possible. Think of cashiers at a retailer. If they ring up something wrong or need to issue a refund, a supervisor usually needs to come over, verify the transaction, and enter a code to authorize it. Your accounting system should be at least that protected. Ideally, the system should include logical access controls that restrict who can alter transactions. Another control that can help detect (or even prevent) such a scheme involves sending bank statements directly to the owner or other chief executives so that they can review those transactions and spot discrepancies.
4. Does our system protect valuable inventory and equipment?
Certain types of businesses are especially vulnerable to theft. Retail employees have come up with countless schemes to sneak inventory out of stores. And manufacturing and construction companies are so used to employees taking small quantities of tools and raw materials that they sometimes budget for that leakage. While each of these items might be relatively inexpensive, over time they can tally up to significant losses.
How to mitigate the risk: Valuable inventory and equipment, especially items that can be easily concealed and transported, should be held in a secure location accessible only by authorized personnel. On construction sites and in warehouses, movement of this inventory should only be possible with written authorization from someone independent of getting the inventory and monitored by a yard guard.
In retail settings, bag checks should be routine and universal — every employee at the end of every shift, no exceptions. It doesn’t need to be a big production. The vast majority of employees are trustworthy and will never cause a problem. But if bag checks are routine, you don’t arouse suspicion or hurt feelings by singling out certain individuals if you start noticing inventory disappearing.
5. How do we oversee the relationships between our employees and our company’s vendors and customers?
This is one of the hardest frauds to detect and often the most lucrative to perpetrators. The ACFE report notes that the median loss in a fraud scheme perpetrated by one individual is $74,000, compared to $339,000 in schemes involving three or more individuals. When an employee conspires with a vendor or customer, the documentation can appear legitimate and pass all the safeguards noted earlier.
How to mitigate risk: The best control is to pay attention. Monitor accounts for unusual activities, particularly spikes. If revenue from one customer is climbing significantly or payments to one vendor are getting higher, ask the employees who oversee those relationships to explain. The ACFE report notes several red flags that can help identify fraudsters, such as:
- An unusually close association with a vendor or customer.
- A lifestyle that seems to exceed a person’s means.
- An unwillingness to share duties.
The Sixth Question: What Next?
It is important to not get so paranoid about occupational fraud that you start to treat your employees like suspects in a TV crime drama. Many businesses go through these questions and realize that they are at high risk for fraud, but it hasn’t happened because they have hired good people. Other businesses seem to have low risk, but can still be victimized because it only takes one bad apple to exploit one systemic weakness.
Most importantly, stay vigilant. Fraud can happen in any type of business at any time. And the most common first response from employers and coworkers alike upon the discovery of fraud is, “I never thought that person would do this.”
Once you go through this self-assessment, it often makes sense to talk to a professional about a fraud risk assessment. An outsider can perform an independent review from an objective viewpoint. These professionals are trained to be skeptical and find weaknesses in your system that aren’t readily apparent. If you believe your organization would benefit from a self-assessment, reach out for your CRI advisor to learn more about getting the process started.