the ceo's guide to reducing fraud - growthforce group and... · 2017-10-24 · 6 the ceos uide...

The CEO's Guide to Reducing Fraud

By: Stephen King, CPA, CGMA

Implement the necessary steps to detect, reduce, and prevent fraud.

The CEO's Guide to Reducing Fraud2

Table of Contents

CHAPTER 1: Fraud Prevention 101.................................. 3

CHAPTER 2: The Six Most Common Fraud Scenarios in Small Businesses................................... 11

1: Cyber Threats - Whale Phishing & ACH Fraud

2: Billing Schemes

3: Check Tampering

4: Cash Skimming and Lapping

5: Payroll Fraud

6: Employee Expense Fraud

CHAPTER 3: Fraud Scenarios and How to Avoid Them...................................... 25

Scenario 1: Cyber Threats

Scenario 2: Billing Schemes

Scenario 3: Check Tampering

Scenario 4: Cash Skimming and Lapping

Scenario 5: Payroll Fraud

Scenario 6: Employee Expense Fraud

CHAPTER 4: How to Protect Your Business From Fraud...................................... 32

Perform a C.R.I.M.E. Assessment

Build a System of Internal Controls

Create Separation of Duties

Be Alert to Warning Signs in Employee Behavior

Partner with an Outsourcing Firm

ConclusionDEDICATIONTo my parents who knew twelve years of Catholic school would teach me wrongfrom right.


CHAPTER 1 Fraud Prevention 101

Occupational Fraud.If you’re the CEO of a small business, these are the last words you want to hear in relation to your company.

In fact, just hearing them can be enough to keep you up at night.

Yet according to top occupational fraud experts, small businesses

experience more fraud and incur higher average losses than larger

companies. When you consider that the average fraud incident amounts

to $150,000,[1] it’s clear that you can’t leave your company unprotected

against this type of insidious crime.

Why are Small Businesses so Vulnerable? The single most important answer is that they lack internal controls.

Simply put, when one employee handles more than one function

in the chain of authorizing, performing, recording transactions and

reconciling the accounts, there’s the potential for fraud because

that person can hide inconsistencies and theft by falsifying data.

And since more than 90 percent of fraudsters are first-time

offenders, employers have no reason to suspect their employees of

criminal behavior until they somehow become aware of the fraud.

On average, that’s one and a half years later, when it’s too late to

recuperate any of the stolen funds.

Occupational fraud is pervasive and damaging, as you’ll learn in

the following pages. Over the years, we’ve heard horror stories of

employees stealing funds from customer payments, then fudging

their books to cover their tracks—with serious financial and credit-

related consequences for those customers, thousands of dollars in

losses for the employers, and significant damage to the companies’

reputations.$150,000$150,000The Average Fraud Incident Amounts to


It’s not just that they possess fewer financial resources than medium-sized and large enterprises and are therefore less resilient.

Small businesses are built on the owner’s hard work, and there’s

usually a relationship of mutual trust between employer and

employees. Just imagine how devastating it is when that trust is broken

by a fraudster who, in the worst-case scenario, causes irreparable

financial and reputational damage to the company, drives it into

bankruptcy, and destroys the owner’s and employees’ source of

income. Moreover, when it comes to family-owned small businesses

that have been passed down from generation to generation,

occupational fraud can ruin entire legacies.

Fraud is Especially Damaging for Small Businesses.

Fraud is especially damaging for the small, family-owned business. It can cause irreparable financial and reputational damage, destroying not only everyone's source of income, but also their lives.

CHAPTER 1 Fraud Prevention 101


Why? One reason is many CEOs of small businesses believe they’d feel it in their gut if something were amiss.

The statistics show the average occupational fraud case is active for

18 months before it’s detected. Just imagine the scope of the financial

and data losses that can occur in that time frame. And remember:

That’s the average for just one case. A company that doesn’t have

adequate internal controls in place can fall prey to multiple cases of

fraud at the same time or during overlapping periods of time.

Many nonprofit and religious organizations believe they’re

immune to fraud because they have strong core values. Certainly,

setting an ethical tone and promoting a strong corporate value system

is essential to preventing fraud. However, places of worship and

nonprofits are just as vulnerable to fraud as any small business.

In 2016, nonprofits and religious organizations experienced median

losses of $100,000 and $82,000 respectively per fraud incident.[2]

The latest statistics show that the average occupational fraud case has been active for

18 monthsbefore it's detected.

When it comes to occupational fraud, you must get out in front of it and protect your business before fraudsters have the chance to target you.

The sad reality is this happens more often than most small business owners realize. CHAPTER 1

Fraud Prevention 101


The most fundamental way to reduce the risk of fraud is to set up internal controls. At the most basic level, that means job duties need to be separated. You

need to make sure you don’t have the same person doing any more than

one of these functions:

The following pages of this eBook outline step-by-step how you can

separate job duties in a small business with limited resources.

It’s important to understand that no system of internal controls can

completely eliminate the risk of fraud. All it can do is make it harder for

fraudsters to steal or increase the odds that they get caught quickly so

you reduce the risks to a minimum. If two employees are colluding, that’s

hard to spot. It’s not impossible; just harder.

1

2

3

Authorizing a transaction.

Recording that transaction.

Reconciling or checking the accounts.

No system of internal controls can completely eliminate the risk of fraud.Good internal controls can reduce the risk to a minimum. That's how you make it harder to steal and easier to uncover.

Implementing Internal ControlsCHAPTER 1



To significantly reduce the risk of fraud, you have to set the right tone at the top.

A CEO who rips off clients, cheats the IRS, and squeezes employees

as part of the company culture perpetuates a toxic environment that

breeds a dog eat dog mindset.

However, a CEO who has strong ethics and a commitment to best

practices has a lower risk of fraud.

One key best practice is never build a system of internal controls based

on trust. Don't let relationships with your staff affect best practice

implementation. This has nothing to do with trust, it's common sense.

Small business CEOs need to know their business is an easier

target for fraudsters than a larger one. There are various reasons

for this, the most important one is they don’t have the resources to

establish a system of internal controls. This can compromise even the

simplest of safeguards.

The strategic CEO views outsourcing as a way to reduce risk and gain

a competitive advantage. They see value in the peace of mind they get

from implementing systems and strategies designed to reduce risk.

Fraud Prevention Starts at the TopCHAPTER 1



In addition to lowering fraud risks, proper internal controls ensure the flow of data going into your accounting system is accurate, leading to better reporting.

When you set high financial control standards for your

business, you’ll also net high-quality information that you can

use to make informed decisions and take strategic action. That

alone makes it worth the investment.

Fraud Prevention Checklist for Your Small Business:

Does management set the right tone by setting the right example and enforcing a zero-tolerance policy?

Do your employees understand what constitutes fraud? Is it clearly defined in the employee manual?

Do employees believe they can speak freely when they suspect fraud is being committed?

Do they know where to go for advice? Do you have a way for employees to report potential fraud?

Are performance goals realistically attainable for your employees?

Are anonymous surveys conducted to assess morale?

Has a system of internal controls been put in place?

Fraud Prevention ChecklistCHAPTER 1



Statistics from a recently published report by the Association of Certified Fraud Examiners (ACFE) titled “Report to the Nations on Occupational Fraud and Abuse: 2016 Global Fraud Study” illustrate why occupational fraud poses such a significant threat to small businesses (those with fewer than 100 employees).

Fraud Scheme Rate, by Size of Victim Organization (1388 cases)Scheme, Median Loss <100 Employees 100+ EmployeesBilling, $100K 27.1% 20.9%Check Tampering, $158K 20.1% 8.4%Skimming, $53K 19.9% 8.9%Expense Reimbursement, $40K 16.7% 13.9%Non-Cash, $70K 18.8% 19.3%Cash on Hand, $25K 16.4% 10.3%Payroll, $90K 14.0% 6.3%Cash Larceny, $90K 13.5% 6.5%

Financial Statement Fraud, $975K 12.1% 8.8%

OF FRAUDSTERSARE FIRST-TIME OFFENDERS WITH CLEAN RECORDS

REPORTED CASES OF FRAUD TOOK APPROXIMATELY:

MONTHSBEFORE DETECTION18

76%WERE COMMITTED BY EMPLOYEES WORKING IN THE FOLLOWING SIX DEPARTMENTS:

ACCOUNTING, OPERATIONS, SALES, EXECUTIVE/UPPER MANAGEMENT, CUSTOMER SERVICES AND PURCHASING

OFCASES REPORTED

OF BUSINESSES NEVER RECOVER ANY FRAUD-RELATED LOSSES

40-60%

23%+FRAUD CASES EQUALED/EXCEEDED

$1MM IN LOSSES

THE TYPICAL SURVEYED ORGANIZATION LOST

5% OF ITS ANNUAL REVENUE TO FRAUD

AT A MEDIAN LOSS OF

$150,000PER CASE

ESTIMATED ANNUAL GLOBAL LOSS DUE TO FRAUD, BASED ON 2011 GWP

$3.7 TRILLION

Fraud FactsCHAPTER 1



The best way to catch fraud is to set up a hotline. Let everyone know "if they see something, say something."

Make sure it's a phone line that is monitored, and you establish follow-

up processes that ensure there’s a clear audit trail. Due to the complex

nature of this endeavor, it’s advisable to consider outsourcing your

hotline to a provider that offers multiple tip input avenues, multiple

languages, ethics and compliance advisory services.

Since the No.1 way fraudsters are caught is after a tip from an employee, we recommend setting up an anonymous fraud hotline.

Setting Up an Anonymous HotlineCHAPTER 1



This chapter reviews the six most common fraud scenarios in small businesses. Each section walks you through what it is, what it costs and how it happens. In chapter 3, we will show you how to avoid these fraud scenarios.

Fraudsters Go Phishing

Phishing is an attempt—usually via email—to acquire usernames, passwords, social security numbers, credit card details and other data by pretending to be a reliable, trusted contact.

Spear Phishing is a targeted type of phishing used by cybercriminals who want information about a specific company or individual. Recent research shows that spear phishing is the initial avenue of attack in almost 70 percent of data breaches.[4] In other words, human error is to blame for almost three quarters of all breaches!

Clone Phishing is a phishing technique in which a legitimate email with a link or attachment is duplicated to create an almost identical message. However, the criminals use a malicious attachment or link instead of the original one, and send the email from an address that’s almost, but not quite, the same as the originating address.

Whale Phishing or Whaling is a form of spear phishing that targets high-level managers and CEOs. Whaling emails are often disguised as communications from authorities or legal entities in order to scare recipients into taking action.

CHAPTER 2 Common Fraud Scenarios

The FBI's Internet Crime Complaint Center (IC3), reports that cyber theft is one of the fastest growing threats to small businesses. This is due to small businesses often not being able to afford top quality cybersecurity software nor having the resources to create and implement comprehensive cyber hygiene policies.


CEO Email Scams Between October 2013 and February 2016, cybercriminals used CEO

email scams to net an estimated $2 billion from over 12,000 companies

located in 108 countries around the world. The criminals targeted

organizations of all sizes and according to law enforcement officials,

the threat continues to grow.[5]

When cybercriminals acquire sufficient data to create an email that

for all intents and purposes looks like it’s been sent by a CEO of a

company, they approach someone in that company with a request for

the transfer of funds for business purposes. And this is where things

can get confusing.

Email programs allow account holders to enter their names along with

their email addresses. Every time an account holder sends an email,

his or her name appears in the “from” field in the recipient’s inbox—

but the actual email address doesn’t!

The only way you can see a sender’s actual email address is by either

mousing over the name or by looking at the email header in the

original message.

[

For example:Let’s say John Smith is the CEO of Acme, Inc. He sets up a corporate email account listing his name as John Smith and his email address as [email protected].

If a cybercriminal wants to impersonate him, he can set up a spoof email account, list his name as John Smith and his address as [email protected] or something similar so that even if a recipient checks the return address, it might not be flagged as irregular.

[Whale Phishing is frequently used as a basis for so-called CEO email scams.

Scenario 1: Cyber ThreatsCHAPTER 2

Common Fraud Scenarios


Whale Phishing In June 2017, a bookkeeper received an email from the CEO of a small business requesting a wire transfer. There appeared to be absolutely nothing irregular about the email. It had the CEO’s normal signature file, complete with the CEO’s picture, company logo, social media links and website address. Obviously, the bookkeeper had no reason to suspect there was anything wrong.

He needed to confirm some additional details before authorizing the wire transfer. The scary thing was that when he hit reply, the return contact information looked identical to that on the CEO’s actual email account. Then, when the cybercriminal emailed back, there wasn’t anything about the email’s appearance that suggested it wasn’t from the CEO in question.

Fortunately, there was something about the content of the email that prompted the bookkeeper to flag it and call the client. The CEO was completely unaware of the email and was shocked to learn he’d been targeted by cybercriminals.

Upon closer inspection, the only way to detect that the email was fraudulent was to mouse over the CEO’s name in the “to” field in the email header. This revealed the return address—which wasn’t the CEO’s! Instead, it was a spoof email address that was later traced back to the U.K.

If you think you’ve received an email that contains malware, check this:

Check the company name to see if it’s really from a company you’re affiliated with.

Check the “from” field in the email to see if you recognize the sender’s address. If you’re not sure whether it’s valid, send a new email—not a reply—to the contact to ask if he or she emailed you.

Put your mouse over the hyperlink in the body of the email to reveal the actual URL—but don’t click on the link!

If the URL doesn’t look valid, examine the signature at the bottom of the email for any red flags, for example, a company website URL that doesn’t work.

You can do these checks in a minute or so, and if the email is fake, you’ll see multiple areas that don’t add up.




ACH Fraud Cybercriminals also employ phishing to steal data for Automated

Clearing House (ACH) fraud.

Financial institutions use the ACH Network to process financial

transactions between individuals and companies including checks,

direct deposits, bill payments and cash transfers. According to

estimates from the FBI and industry experts, losses due to ACH fraud

amounted to $1 billion worldwide in 2016—and that number is

expected to rise.[6]

Only two pieces of information are needed to successfully commit

ACH fraud: a bank routing number and a checking account

number. Cybercriminals typically use spear phishing emails to install

key-logging software on victims’ computers, which enables them to

steal the login credentials for those victims’ bank accounts.

It’s important to understand that the processes for disputing

unauthorized—and therefore possibly fraudulent—transactions

are different for consumers and businesses. In a consumer’s bank

account, an unauthorized transaction may be returned within 60 days.

Business account holders, however, are required to notify their banks within 24 hours after an unauthorized transaction has been

posted! Those that don’t alert their banks within this time period are

liable for the unauthorized transaction themselves. That’s why it’s

crucial to automate the download of your bank activity and keep track

of the ACH transactions on your business account every single day.

Unlike private consumers who have 60 days to dispute unauthorized bank transactions, business account holders are required by law to notify their banks within 24 hours of an unauthorized transaction being posted! That’s why automated downloading of the ACH transactions into your accounting system is crucial.




Billing Fraud The most frequently occurring type of fraud in small businesses is

billing fraud, which amounts to 27.1 percent of all cases.

Billing fraud occurs when an employee creates fake invoices

or inflates existing invoices and submits them to the employer

for payment. This can be done by sending invoices from a fictitious

company, submitting invoices for personal items, or making multiple

payments to a current vendor by submitting invoices without dates.

On average, a billing scheme lasts 24 months before it’s detected, and the median losses amount to $100,000 per case.[7]

Scenario 2: Billing SchemesCHAPTER 2



Multiple InvoicesA nonprofit organization had outsourced its CFO position. As specified

in the statement of work, the CFO of the outsourced service provider

would invoice the nonprofit on a monthly basis.

From the start, the CFO did not include a time period on the invoice, so

it wasn’t clear to the Executive Director of the nonprofit exactly what he

was paying for.

Over time, the CFO gradually shortened the time between the

invoices. Eventually, he was submitting an invoice once every three

weeks instead of once a month—effectively charging the nonprofit

approximately 25 percent more than agreed.

Scenario 2: Billing SchemesCHAPTER 2



Check tampering occurs when an employee steals, alters, or forges a check that’s payable from the employer’s business account.

It amounts to 20.1 percent of fraud cases in small businesses compared to only 8.4 percent in larger businesses. The median

amount lost per case is $158,000.[8]

There are several methods of check tampering. On altered checks, the name of the payee is changed to that of the fraudster, who then misappropriates the funds. On forged checks, the signature of the authorized signer or payee endorsement is forged.

Concealed checks are fraudulent checks that are submitted in a batch so the authorized signer doesn’t notice any irregularity and signs anyway. Finally, in what’s known as an “authorized maker” scheme, a fraudster is authorized to sign checks for the company. When he or she also has access to the company’s checks, misappropriating funds is simple.

Scenario 3: Check TamperingCHAPTER 2



Authorized MakerAn IT company had a bookkeeper whose husband lost his job. This

landed the couple in a short-term cash crunch, and they were unable

to pay their AT&T phone bill. The bookkeeper was authorized to write

checks on her employer’s behalf, so it was easy to write out a check to

the phone company and code it to telephone expenses in the books.

Fortunately, our second set of eyes realized the expense was higher

than usual; plus, AT&T wasn’t the client’s telephone vendor. We called

AT&T to determine what account the payment was for. Of course, this

immediately revealed that the bookkeeper had used company funds for

her own purposes. She was immediately escorted out of the building,

and the client had the locks to the premises changed.




When your business accepts cash payments, you’re at risk for skimming and lapping schemes. Skimming is responsible for 11.9 percent of fraud cases involving small businesses, and on average, results in $53,000 in losses per case.[9]

Skimming occurs when an employee receives a cash payment from a customer and misappropriates the money before it’s entered into the books. Skimming can look like customer theft or inventory error until a fraudster gets confident and starts pocketing more and more cash.

In a more complicated form of skimming, the employee tries to conceal the theft by either deleting the paid invoice or falsifying a credit memo, or bad debt entry, and applying it to the customer’s balance so the account doesn’t get flagged as past due.

Lapping is different from skimming in that the employee does make a record of the cash payment but instead of depositing it appropriately, takes the money for personal use. Then the employee hides the theft by applying the next payment to the customer’s account. When nobody detects it the first time, it’s easy for the fraudster to become more confident and expand the scheme.

While both skimming and lapping involve the misappropriation of cash, there's a slight difference.

Scenario 4: Skimming SchemesCHAPTER 2



Cash SkimmingA doctor had a practice where patients were expected to pay their

bills at the front desk after seeing the doctor. There were never any

problems with this because the billing clerk had great people skills and

the patients liked her.

When the billing clerk went on vacation, another employee temporarily

took over her duties. On the very first day, a patient came in and was

ready to pay in cash. The employee explained to her that the practice

never accepted cash and asked her to pay by debit or credit.

The patient was upset. She said she always paid in cash because

she wanted the 10% discount. Of course, the employee immediately

suspected something was amiss and reported the issue. It turned out

that for months, the billing clerk had been offering discounts for cash

payments—and subsequently pocketing the cash.

Scenario 4: Skimming SchemesCHAPTER 2



Payroll fraud occurs when an employee submits false time to receive additional payments from their employer.

While payroll fraud only accounts for 8.5 percent of cases, the median

loss per case amounts to $90,000.[10] Because the amounts are so

great, payroll fraud warrants special attention. Again, the fact that small

businesses typically lack internal controls makes them an easy target.

There are various ways employees commit payroll fraud. For

example, a fraudster may increase the number of hours or overtime

worked on their timesheet. An employee who has access to payroll

can inflate their wages or issue salaries to so-called ghost employees:

company employees who only exist on paper.

It may be a red flag if an in-house bookkeeper insists on doing payroll.

It doesn't make sense for a bookkeeper to control this function since

outsourcing payroll costs less and reduces fraud.

The fact that small businesses typically lack internal controls makes them easy targets for payroll fraud for which the median loss per case amounts to $90,000.

Scenario 5: Payroll FraudCHAPTER 2



Payroll ManipulationAn interior designer had a bookkeeper who “did everything.” And it was precisely because he wore all the hats in the accounting department that he found a way to steal without getting caught.

The bookkeeper had editing rights to the "year-to-date payroll changes" inside QuickBooks™. That meant he could change the amount shown as his payroll tax withholdings to an amount that was higher than what was actually withheld. The extra was then paid by the company through a higher payroll tax deposit.

Because payroll tax withholdings are the amount an employer withheld and remits to the IRS on behalf of each employee, and that amount differs per employee, it wasn’t difficult to conceal the additional funds.

After padding the amount of taxes deposited, the bookkeeping altered his tax withholdings on his W-2 and changed the payroll tax return. And that meant that at the end of the fiscal year, he could claim a higher tax refund.

Because the bookkeeper did everything, the CEO would never have detected the theft unless someone reviewed the payroll tax adjustments. Fortunately, the client brought our team in, and we were able to uncover the payroll fraud. You should not handle payroll in-house. The risk is great and the cost to outsource it is very low.




Employee expense schemes account for 14.7 percent of fraud cases and result in approximately $40,000 in losses per case. Expense reimbursement fraud occurs when an employee submits a

false or inflated expense report to the employer and receives financial

reimbursement accordingly.

In general, there are four types of expense reimbursement fraud:

Mischaracterized expenses are personal expenses that the employee submits as business expenses. For example when a fraudster takes her family out to dinner and submits the receipt as a business expense. The employer reimburses the fraudster, whose family dinner has now been paid for by the company.

Overstated expenses are expense reports that are adjusted up by the administrative assistant tasked with processing expense reports. For example, an employee requests reimbursement for a $100 business lunch. The administrative assistant changes the dollar amount to $150, issues $100 to the employee and pockets the additional $50 themselves.

Fictitious expenses simply involve submitting expense reports for business expenses never made.

Multiple expenses: A fraudster can also submit an expense report multiple times if they have multiple receipts. For example, the employee could request reimbursement for a hotel stay by submitting the receipt, and then request reimbursement for the same expense again a few weeks later by submitting a copy of their credit card statement.

Use software such as Expensify™ or Insperity® ExpensAble® to automate and streamline your expense reporting process.

Scenario 6: Employee Expense FraudCHAPTER 2


https://www.expensify.com/

http://expensable.com/


Fake ExpensesThe Executive Director of a nonprofit handled the organization’s

accounting himself. He submitted reimbursable expenses and issued

payments to himself from the organization’s bank account.

However, once we stepped in, our team realized that he hadn’t

submitted any receipts or any other kinds of proof to substantiate his

reimbursement requests.

We looked into it, and it turned out that he was reimbursing himself for

personal expenses.




Protecting your company against cyber threats requires a three-

pronged approach.

First and foremost, you need to make sure your employees know

what phishing scams are and how to identify them. Instruct them in

cyber hygiene best practices, such as always verifying return addresses

before responding to emails involving money and never clicking on

links or downloading attachments from unverified sources. Any request

to transfer funds should require a text confirmation (or some form of

double authentication).

Second, invest in anti-malware that flags phishing scams. This

prevents your network from connecting to malicious websites, plus,

it isolates and disables any malware contained in phishing emails. It’s

basically a fail-safe that protects your network in case of human error.

Some of the best anti-malware apps include Bitdefender Antivirus and

Malwarebytes Anti-Malware, and they both have versions for PCs, Mac,

and Android. And while it won’t prevent malware from installing on your

device, Emsisoft Emergency Kit is a good clean-up tool that quarantines

known threats. It is another good place to outsource.

Third, don't assume emails are legitimate. When you receive

a request that involves a funds transfer, always call the person

authorizing that transaction and get verbal confirmation. You can also

set up a two-step authentication process that requires text approval, as

texts are almost impossible to steal, or a secret passcode to be sent via

text message.

Scenario 1: Cyber Threats

CHAPTER 3 Fraud Scenarios and How to Avoid Them

https://www.bitdefender.com/business/

https://www.malwarebytes.com/

https://www.emsisoft.com/en/software/eek/


The best way to prevent billing fraud is to separate the billing and bookkeeping functions. The employee who’s writing the checks shouldn’t also be reconciling your bank accounts. This is crucial to reducing fraud! If separation of duties isn’t feasible, outsource your bank

reconciliation functions.

Use purchase orders, or otherwise separate payment approval on

invoices before going to the bookkeeper. Separate AP, check writing

and authorization into three duties that are assigned to three

different employees. You should also separate approving, entering

and reconciling the bank account into three different functions

assigned to three different people.

Always pay based on an invoice (the original bill), never from a

statement, and verify time periods so you’re not being billed multiple

times for the same services or time period. Invoices need to show the

period of time served so they don’t overlap. Enter the invoice number

into QuickBooks™, since it will give you an alert if it’s a duplicate.

Invoices without numbers should be entered by date so you can always

go back and check the payments.

A fraudster using a vendor billing scheme first changes the payee on

the check to his or her own name and then, once the payment has

been made, revises it back to the vendor. That’s why you need to assign

one person to pay the bills and another employee to do the bank

reconciliations.

The employee handling reconciliations should request check images

from the bank, and with the payee field turned on, match the payee

on the check to the name listed on the payee screen. The name of the

payee has to be on the approved vendor list. QuickBooks™ Enterprise allows you to separate functions by

user and can be integrated with Bill.com™, which enables you to

separate bill approval from bill processing and create a scanned

image of each receipt.

Scenario 1: Bill Payment SchemesCHAPTER 3

Fraud Scenarios & How to Avoid Them

http://www.bill.com


If you're still using checks, stop! Use automated bill payment software such as Bill.com to reduce costs,

lower risk, and increase financial intelligence. Learn to Automate

Small Business Bookkeeping with Bill.com.

The built-in controls of automated bill payment provides protection

from fraud. Employees see only the information they need to complete

their part in the online bill paying process. With less employee access

and interaction in the bill payment, there’s less opportunity for internal

tampering with company funds. In addition to automated bill

payment, you should also implement the following best practices:

• Attach scanned images to each transaction

• Set up your bank account(s) to download all transactions daily

• Make sure that the payees on your bank statements are approved

and they are the same as those in your accounting system

• Never allow an employee who writes checks or has data entry access

to reconcile bank statements

If you must use checks, store them in a secure place only you can

access. Separate duties so either you--the owner--or a manager

reviews unopened bank statements and canceled checks.

Separate check cutting and preparation from check signing. It’s best

if the owner signs all the checks. You need to review each one before

signing to ensure an employee doesn’t give you a fraudulent check.

Make sure that signed checks are mailed out immediately. This

reduces the chances they can be altered after signing.

In addition, you should rotate employee responsibilities and hold

surprise audits. If there’s a changed payee, review the audit trail

for any red flags. If you’re billed for unexpected expenses, review

the proposed budget and compare it to the actual report. Finally,

remember to set up positive pay and ACH filters with your bank.

Open MailDelete Bills/Issue Vendor CreditsCreate New VendorsReview Bank StatementsReconcile Bank AccountsCreate Credit MemosApply Payments in Accounting System

If one person: They should NOT:

Create InvoicesEnters BillsPays/Approves Bills

Separation of Duties Chart

Bill Payment



http://Bill.com

http://www.growthforce.com/blog/learn-to-automate-small-business-bookkeeping-with-bill.com

http://www.growthforce.com/blog/learn-to-automate-small-business-bookkeeping-with-bill.com


It's best to eliminate cash payments as much as possible, since that makes cash skimming and lapping impossible.

Accepting ACH, EFT and credit card payments is a much safer option.

However, if you need to accept cash, use a lock box service to receive

it safely, and require daily bank deposits since that will bring any

discrepancies to light.

Separation of duties is again, key. Issuing receipts and deposits should

be separated, as should receiving cash and posting to accounts.

Posting to accounts receivable and receiving cash receipts should also

be segregated. Be sure to cross-train your staff and assign tasks on a

rotating schedule to ensure no single employee is always in control of

receiving cash.

If you don't outsource or you don't have the staff to get separation

of duties, create memorized reports of credit memos and postings to

bad debt accounts. Require supervisory approval for AR write-offs and

customer credit. Review the audit trail report for suspicious activity.

Record PaymentsCreate InvoicesCreate Credit Memos Delete InvoicesMake Bank Deposits


Physically Receives Payments


Collections

Scenario 3: Cash SchemesCHAPTER 3



Because payroll fraud is so difficult to detect, you should outsource the payroll function, and require owner or senior manager approval on any payroll changes.

For anything you don't outsource, adhere to separation of duties

for creating, reviewing, approving and signing payroll entries. You

should also separate payroll processing from bank reconciliation

and set up user rights to restrict the ability to edit and authorize

payroll transactions. For added security, set up Positive Pay and

an ACH filter with your bank. In addition, regularly review payroll

change reports and, at the end of the year, review gross wages on

W-2s. Finally, encourage employees to agree to direct deposit or pay

cards and perform background checks before hiring new people.

Note that the reason the vast majority of companies outsource payroll

is that the cost of a payroll provider is usually less than the cost of

doing it in-house. If your office manager insists on preparing payroll,

it should be a red flag. Why would they want to do payroll—and add to

their duties—when their time could be better used and it costs so little to

use a third party?

Open MailSetup New EmployeesAdjust Payroll RecordsPrepare Payroll Tax ReturnsReconcile Bank Accounts


Processes Payroll


Payroll




Use an app and make it easy to reduce employee expense fraud.One payment needs to have one receipt. There are various apps that

can capture images of paper receipts and/or credit card payments and

send them straight to your books. This eliminates the possibility of

providing handwritten expense reports without any receipts to back up

the claims.

Two of the best expense management apps available are Expensify™

and Insperity® ExpensAble® which offer secure, streamlined expense

reporting capabilities for smartphones and can be integrated with

QuickBooks™. The app sends financial data to the general ledger, which

speeds up the approval and employee reimbursement process, while at

the same time making it harder to submit duplicate reimbursement

claims. It also requires payer approval, as well as the ability to have two

authorized electronic approvals, which further reduces the risk of

fraud.



https://www.expensify.com/

http://expensable.com


QuickBooks™ has a "Prior Period" feature that helps maintain the

integrity of prior periods so they can’t be adjusted. Unauthorized

changes to prior periods can cause faulty decision making because

they affect financial statements and reports. Moreover, they can be

used to conceal fraudulent activity.

Because QuickBooks™ posts transactions based on their transaction

date and doesn’t maintain a traditional period-based closing, you can

use a Closing Date Exception Report as a highly effective control

procedure to ensure prior periods have not been altered.

Make sure your employees’ user rights are restricted so they don’t

have access to functions that should be separated. In accounting

preferences, set a closing date password and use the “Closed Period”

report under Accountant and Taxes.

Prior Period FraudYou will have to set a closing date every month to activate this

report. Just pick a date, say the 15th of every month, and lock down the

prior period. That will limit the ability to bury a transaction in the past.

Set up the CPA as an “accountant” user type. Make sure the CPA

reconciles the Equity account.

Approve Expense ReportsReview the Bank StatementReconcile the Bank Account


Pays Expense Reports


Expense Management

Scenario 5: Employee Expense Fraud ( Cont.)

CHAPTER 3 Fraud Scenarios & How to Avoid Them


Perform a C.R.I.M.E Assessment

Before doing anything else, you need to gain an understanding of how

your company’s structure, policies and procedures impact your level of

risk. You can do this using the C.R.I.M.E. Assessment.

When you take the time to objectively and comprehensively perform

the assessment, you’ll gain many valuable insights into your company’s

strengths, and whether you like it or not, its vulnerabilities. Although

the results can be disappointing, you absolutely need to study them

and create a strategy to eliminate any weaknesses. At the same time,

you should establish a system that facilitates oversight and promotes

transparency.

Understanding Your Level of Risk

Control ActivitiesC

Risk AssessmentR

Information systems and communicationI

MonitoringM

Control EnvironmentEThe C.R.I.M.E. Assessment was developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)[11]

Is there proper separation of duties? Is there a review and approval process for invoices, estimates, purchases, etc? Is the computer safeguarded? Do you have a backup if the system fails?

Does the entity know what its risk tolerances are and what areas have the highest risk arising from both internal and external sources?

Are there proper controls for computer processing? Have you established clear lines of communications with vendors and customers regarding policies for billing and collections?

Is there a review of the internal control activities to ensure they are being set up as specified? Is there documentation of the internal controls to allow for independent review?

Is there a code of conduct? Do conflict of interest, acceptance of gift, and other related policies exist? What is the tone from the top? Does management encourage compliance with control activities?

CHAPTER 4 How to Protect Your Business from Fraud

https://www.coso.org/Pages/default.aspx

https://www.coso.org/Pages/default.aspx


Control activities are the policies and procedures that ensure

management directives are carried out. They usually involve two

elements:

A policy that prescribes what should be done

The procedure to implement the policy

You shouldn't build a business on “tribal knowledge.” A well run

company will handle transactions consistently both across employees

and over time. You need your company’s policies and procedures

in writing because, without documentation, it’s difficult to train new

employees on how transactions should be initiated, approved and

recorded. Subpar employee training results in high error rates,

incorrect financial statements, and a need for increased supervision.

Procedure manuals are a great value-added service both for new hire

training and future employee reference.

The most critical concept in electronic data security is to restrict access to your company’s sensitive data through the effective use of usernames and passwords. In order to keep track of who does what in your accounting system, be sure to:

Assign each user a unique, private username and password known only to him or her.

Set up separate accounts for “owner”, “office manager” and "CPA".

Don’t let employees log in and enter transactions as “administrator.”

Establish Usernames & Passwords to Protect Sensitive Data

Internal controls can reduce the risk of fraud and help your company get to the next level.

Revise Policies and Procedures

Build a System of Internal ControlsCHAPTER 4

How to Protect Your Business from Fraud


In the previous chapter, we discussed fraud scenarios that were

possible because one employee performed two or more functions that

need to be separated (approval, recording and reconciling) in the three

primary accounting functions of AP, AR and payroll.

The principle of separation (or segregation) of duties is the cornerstone

of a solid internal control system. In fraud prevention, separation

of duties involves dividing the critical duties into the three primary

accounting and bookkeeping functions between two or more

employees or departments.

Why is this so important? Well, let’s take the example of the billing

clerk and her cash skimming scheme. If the office manager had been

in charge of billing and recording accounts receivable, they would

have noticed how many patient accounts had credit memos or were

in arrears much sooner—and the financial damage to the doctor’s

practice would have been dramatically lower.

2 Person Office

Business Manager Mail checks

Write checks

Approve payroll

Record accounts receivable

Receive cash

Authorize purchases

Authorize check requests

Authorize invoices for payment

Record general ledger entries

Owner/Manager Sign checks

Reconcile bank statements

Sign employee contracts

Distribute payroll

Process vendor invoices

Complete deposit slips & make deposit

Reconcile petty cash

Perform bank transfers

Receive, open and review bank statements

Cornerstone of a Solid System

How to Separate DutiesCHAPTER 4



4 Person Office

Bookkeeper Record accounts receivable


Write checks


Process vendor Invoices

Make deposits

Clerk Distribute payroll

Receive cash

Disburse petty cash

Authorize purchases

Authorize check requests

Mail checks

Office/Manager Complete deposit slips

Approve invoices

Approve payroll

3 Person Office

Bookkeeper Record accounts receivable


Write checks


Process vendor Invoices

Make deposits

Office Manager Mail checks

Reconcile bank statements

Disburse petty cash

Approve invoices

Authorize purchases

Approve payroll

Receive cash

Distribute payroll

Approve time sheets


Complete deposit slips






Approve time sheets



Create Separation of DutiesCHAPTER 4



Be Alert to Warning Signs in Employee Behavior

While all the examples in this eBook were detected based on data,

it’s important to remember the human factor in fraud. Fraudulent

acts can be triggered by external factors in an employee’s life, such

as personal debt and other financial pressures due to medical bills, a

spouse losing a job, or an ailing parent moving in. There can also be

other factors, such as drug or alcohol use, gambling or an inability to

curb spending.

These issues can, in some cases, be accompanied by a change in

behavior. Sometimes an employee becomes disorganized, dissatisfied

or withdrawn. In some cases, employees suddenly start making a lot of

personal calls.

It’s important to keep in mind that behavioral changes can occur for all

sorts of reasons, and the chances they’re linked to fraudulent behavior

are small.

Look for warning signs of their

misdeeds: Fraud lasts for months

before the fraudster is caught - early

detection can have a big effect on

limiting loss.

Are any of your employees:

• Living beyond one's means

• Experiencing financial difficulties

• Exhibiting control Issues

Warning Signs in Employee BehaviorCHAPTER 4



Leverage OutsourcingOne of the most effective ways to reduce your risk of fraud is to

outsource your bookkeeping, accounting and control functions

to an experienced provider. This eliminates the risks associated

with a lack of internal controls and ensures that every transaction is

checked for accuracy.

Companies like GrowthForce, possess decades of experience and

have the expertise to flag and follow up on irregularities as soon as

they arise.

The truth is that the more people you have overseeing your books,

the less attractive your company becomes as a target for fraudsters.

So in addition to providing a significant amount of protection,

outsourcing also gives you peace of mind.

Benefits of Outsourcing

Better Financial IntelligenceTimely, accurate financial reports that help you better understand

your business, enabling you to make more informed decisions for

profitability and growth.

Peace of MindConfidence in the accuracy and quality of your financial information

A second set of eyes and documented policies and procedures,

helping to reduce the risk of fraud

More Time

Focus on what's important in your business

Credit checks

Detailed budgets

Exception reports

After-the-fact review of transactions and reports by owners or managers

Job rotation

Mandatory vacations

Physical safeguards

Employment verification

Background checks

If outsourcing isn’t an option, use other compensating control measures, such as:

Partner with an Outsourcing FirmCHAPTER 4



Conclusion

Now you should have a good understanding of how pervasive and damaging occupational fraud can be to small businesses.

Whether it’s cyber fraud, a billing scheme, check tampering, cash

skimming, payroll, or expense reimbursement fraud, no amount of

“gut feeling” or trust between employer and employees is a safeguard

against this type of insidious crime. Think about it: The average fraud

incident costs a company $150,000. Would your company be able to

handle a financial hit of that size—or a bigger one? And what about the

damage to your brand’s reputation?

Knowing this, it should be abundantly clear that fraud prevention is

one of the wisest investments of any CEO’s time and energy. As we’ve

explained, you need to objectively assess your risk, implement a system

of internal controls, separate accounting and bookkeeping duties,

establish an anonymous fraud hotline and leverage outsourcing to your

advantage.

If you follow some—or better yet, all—of our suggestions, you stand a

good chance of minimizing the risk to your business. And in the long

run, making an ongoing commitment to prevent fraud at every level of

your company can make all the difference in the world for a business

that’s thriving and poised for growth.

The average fraud incident costs a company $150,000. Would your company be able to handle a financial hit of that size — or a bigger one? And what about the damage to your brand's reputation?


Sources

[1] Report to the Nations on Occupational Fraud and Abuse: 2016 Global Fraud Study


[3] https://www.ic3.gov/default.aspx

[4] http://searchcompliance.techtarget.com/feature/Verizon-Human-error-still-among-the-top-data-security-threats

[5] https://www.ft.com/content/83b4e9be-db16-11e5-a72f-1e7744c66818?mhq5j=e3

[6] http://frankonfraud.com/fraud-reporting/top-10-fraud-losses-for-2016-and-where-they-are-headed-now/





[11] Internal Control and Enterprise Risk Management Framework, © 2013 Internal Control – Integrated Framework

(“ICIF”) and 2004 Enterprise Risk Management Framework. Committee of Sponsoring Organizations of the Treadway

Commission (COSO). All rights reserved. Used with permission.

http://www.acfe.com/rttn2016/docs/2016-report-to-the-nations.pdf


https://www.ic3.gov/default.aspx

http://searchcompliance.techtarget.com/feature/Verizon-Human-error-still-among-the-top-data-security-threats

https://www.ft.com/content/83b4e9be-db16-11e5-a72f-1e7744c66818?mhq5j=e3

http://frankonfraud.com/fraud-reporting/top-10-fraud-losses-for-2016-and-where-they-are-headed-now/





https://www.coso.org/Pages/aboutus.aspx

GrowthForce provides outsourced bookkeeping, management accounting and controller services for growing

businesses and nonprofits. GrowthForce combines advanced QuickBooks™ accounting system design

with a fractional share of a full service accounting department including a U.S. based, dedicated team of

bookkeepers, accountants and controllers. Our team approach gives a second set of eyes and documented

policies and procedures, helping to reduce the risk of fraud. Our customized financial reporting and KPIs help

small businesses and organizations drive performance and profitability through data-driven decisions.

To view our full library of case studies, whitepapers, and ebooks,

please visit www.growthforce.com/resources.

www.growthforce.com

281.358.2007

800 Rockmead Drive, Suite 200 Kingwood, TX 77339

[email protected]

@GrowthForce

About GrowthForce

GRO_033_OFF_V4

GrowthForce is not a CPA firm.

GrowthForce accounting services provided through an alliance with SK CPA, PLLC.

© 2017 GrowthForce, LLC

+1 212 810 9009www.tmaginc.com

http://www.growthforce.com/resources

http://www.growthforce.com

https://twitter.com/growthforce

https://twitter.com/growthforce?lang=en

the ceo's guide to reducing fraud - growthforce group and... · 2017-10-24 · 6 the ceos uide...

Documents