Contributor: Richard Kannan, Warren Whitney Finance & Accounting Director
The larger the company, the bigger the risk of fraud, right? Well, not necessarily. On a relative basis, smaller organizations may be at greater risk. The average fraud loss for companies with less than 100 Employees is $200,000, versus larger businesses where the average fraud loss is $104,0001. Fraud losses occur when there are NOT proper controls put in place. When small to medium-sized businesses have a leaner accounting team or one person with too much authority, they become vulnerable. The fact is that inadequate controls create opportunities for fraudulent activities.
American criminologist, Donald Cressey, developed the “Fraud Triangle” theory which explains the factors that can lead to fraud and unethical behavior as:
- Opportunity (i.e. Lack of internal controls)
- Pressure (i.e. Personal finances in jeopardy)
- Rationalization (Reasoning decreases with #1 & #2)
The combination of these three factors can turn individuals you wouldn’t suspect into a fraudster. Fortunately, as business leaders, you can take control and identify the points of weakness to deter fraudulent activity. The critical element is identifying the vulnerable areas to address immediately by establishing the proper protocols.
INTERNAL CONTROLS
Half (50%) of all fraud cases in small businesses occur due to a lack of internal controls1. The below list of real-life scenarios exemplifies how easily it happens and how it can be prevented.
REAL LIFE SCENARIOS HIGHLIGHT VULNERABILITIES IN THE SYSTEM
Scenario #1: A checking account number was used to print checks made out to the fraudster. Checks were written to an account and all available funds were transferred out as soon as funds were available. The checks continued to be written until the bank caught on and stopped payment immediately. The fraudster disappeared with the money.
Lesson Learned: Bank controls would have prevented this from happening. Banks offer “Positive Pay” protocols which will not allow checks to clear unless the company registers the check number and amount. This simple and inexpensive control will prevent checks from being hijacked.
Scenario #2: A bookkeeper wrote checks to herself using familiar amounts to the owner (i.e. monthly truck payments, rent, etc.). She shared the account reconciliation with the owner every month. The owner, who trusted his bookkeeper, conducted only a cursory review.
Lesson Learned: A trusted employee scammed her employer in a clever way. This is where business owners need a clearly defined approach to reviewing checking accounts, reconciliation, and spending.
Scenario #3: A vendor’s email account was hacked. The hacker sent an email from the hacked account to the vendor’s client requesting a large payment along with new wiring instructions. The client did not question the email and the wire was sent to the fraudsters account and the money was lost.
Lesson Learned: Always confirm payment method changes. This may require a face to face discussion, or a phone call to a known member at the organization to confirm the changes.
Scenario #4: A CFO stole $500K over 2 ½ years by sending cash from the entity’s operating account to a PayPal account he controlled. The company had no reason to dispute PayPal since the transactions were on the bank statement. The CFO controlled the bank reconciliations and nobody reviewed them or the bank statements. The fraud survived two annual audits (proving you can’t expect auditors to identify fraud). The scheme was caught when the numbers got too big to hide.
Lesson Learned: Always review your company’s bank reconciliations. Your controller should have a clear listing of all the cash movement tools.
Scenario #5: A bookkeeper “borrowed” money from a small company by writing checks to herself instead of paying the payroll taxes. Because the bank statements were not being reviewed, nobody realized that the payroll taxes were not being paid. The bookkeeper was caught when the IRS sent notices for unpaid taxes.
Lesson Learned: A defined review/checklist of the bank reconciliations is critical. Be sure to include aged reconciliation items, names of payees, etc.
Scenario #6: A bookkeeper was making her car payments with a company debit card. She would open the mail and scan the bank statement. She then used PDF editing software to change the description from her bank account to a company vendor. She then presented the doctored bank statement to the owner for approval. No one could tell the statements had been altered.
Lesson Learned: Always print out the company bank statements and/or look up the balances online to confirm that the document is legitimate.
The overall lesson learned in these scenarios is not to give one-person complete authority of your banking transactions – establish procedures for checks and balances.
These simple, smart changes can enhance the leanest team’s internal controls:
- Implement “Positive Pay” with your bank accounts so that all checks are registered by check number and amount with the bank. Checks for varied amounts or non-valid check numbers will not clear.
- Review your checking account reconciliations – use a formal checklist to make sure you have the appropriate levels of review.
- Do not allow your bookkeeper to control credit or debit cards, regardless of how much you trust them.
- Add wire controls with the bank – all wires/ACH require two people – one to initiate and one to approve.
- Implement individual access passwords for each person for bank, ledger, investment account, credit cards, and PayPal.
- Never change payment information without directly confirming the change with the authorized person.
Warren Whitney’s team of Fractional CFOs and Controllers can assist your business to enhance your internal control environment. We have experience in helping businesses with limited accounting staff and strategically align with your goals and objectives.
To learn more about how to mitigate fraud in your business, contact Richard Kannan at rkannan@warrenwhitney.com or 804.282.9566
[1] Association of Certified Fraud Examiners, 2018.
