The topic of fraud has popped up on my radar a few times recently. I attended a conference by Stephen Mann of Ossege, Combs & Mann, LLC on Financial Fraud and Internal Controls, and the CGMA recently published an article by Jeffrey Drew summarizing the “Report to the Nations on Occupational Fraud and Abuse” which was issued by the Association of Certified Fraud Examiners. This blog series will draw on their material and my own observations.
Fraud is most likely to hit smaller companies. Companies with fewer than 100 employees were the victims of fraud in 29% of the cases the report examined compared to 19% in firms with over 10,000 employees. Small business fraud cases typically cost the firm $154,000. The predominate reason fraud was able to take place was the lack of effective internal controls.
The fraud examiners indicated that very few smaller companies had a formal mechanism for reporting suspected fraud. A simple step used by bigger organizations is a hotline, a phone number with recording ability that employees can call to report suspected fraud anonymously. Tips to hotlines were reported in a third of the small business fraud investigations versus 45% in larger firms.
Smaller staffs make segregating functions difficult in smaller firms. Owners are more likely to have personal trust relationships with their staff. So what should be segregated?
In the billing, cash receipts and functions segregation steps include:
- Separation of cash posting to customer accounts and access to receipts. Someone who posted the customer payments to receivables has the ability to post to the wrong invoice or customer. If they are stealing funds from the deposit, they may attempt to hide the theft by posting cash incorrectly.
- Separate receiving cash from making the deposit. An employee could steal a payment before it is recorded or not put the whole deposit in the bank. If one person records payments and another makes the deposit while another balances the checkbook to the bank deposit, it is tougher to avoid detection.
- I am a proponent of lockboxes and remote deposit. The bank services a post office box and deposits the customer payments for the firm, leaving fewer chances for employees to have access to funds. Remote deposit scans the customer check straight to the bank, so no one makes the deposit at the bank. Remote deposit can speed access to funds if the company normally sends someone to the bank at the end of the day or only a few times a week.
- Credit cards avoid direct access to deposits but are still vulnerable to misapplication. Someone stealing customer receipts could cover their tracks by misapplying credit card receipts. Access to customer credit card data can also violate the merchant agreement with the card processor and credit card industry resulting in the loss of the ability to accept credit cards. Always destroy credit card information as soon as possible. Make sure your credit card data transmission is done via a secure line. Don’t store credit card information unless it is encrypted so that it isn’t usable if stolen. Think Target.
In my next blog we will continue to explore this topic focusing on vendor payments.