Your Best Anti-Fraud Resources are Right Under Your Nose

Don’t think that because your CPA compiles or audits your business' financial statements, or does your taxes, that your business is protected or free from fraud.  All are valuable and necessary services but none are designed or intended to protect you from or detect fraud. The Association of Certified Fraud Examiner's 2016 Report to the Nations on Occupational Fraud (read executive summary here) found that in the US, only 4% of occupational frauds are discovered by an external financial statement audit.
 
The good news is that the best way to prevent and detect fraud is right under your nose: your internal resources. There are three easy, and relatively inexpensive steps to create an environment in a business that will discourage employees from stealing from you, or catch them early if they do. And all are less expensive than an annual financial statement audit.

Prevention: The ‘Tone at the Top’ 
“The tone at the top” is the attitude by board members, owners, executives, and management that they are running an ethical, compliant, law-abiding company that will always strive to do what is right and that all employees are expected to do the same.  Management should be expected to model that attitude without exception. This includes prosecuting employees who steal from the business and not hiding those consequences from the rest of the staff. This expectation is communicated to all employees, customers, vendors, applicants, and new employees. Employees sign contracts every year that they understand this expectation and pledge to not only abide by it but also report others who do not.

Prevention: Your Policies and Procedures  
Your policies and procedures make up your internal control system. Things like separation of duties, disbursement approvals, locking up blank check stock, among others, are not just good business practices -- they are key anti-fraud controls.  When you don’t have enough employees to properly separate duties, management must step in and provide more detailed review. Don’t rely on your bank teller to analyze check signatures or even know who the authorized signers are. It’s up to the business to make sure that unauthorized checks don’t get to a teller. There are many procedures that can be implemented to prevent, or mitigate the effects of occupational fraud. 

Detection: You, Your Employees, Your Vendors and Customers 
A tip is the most common notice of a suspected occupational fraud. The 2016 Report to the Nations  reported that in the U.S, 37% of all occupational frauds are caught as the result of a tip (51% of these from employees). Employees need to know how to recognize situations that are out of the ordinary. They should know why procedures are set up the way they are.  They should know that if they don’t follow established procedures, someone down the line will notice. The person printing checks is looking for management approval on an invoice, or the Controller is going to notice that accounts receivable is too high or that more refunds are being processed.  Employees should also have a way to report concerns anonymously and/or without fear of reprisal.  Larger organizations have hotlines monitored by an outside resource. Small businesses have suggestion boxes.  All businesses should have a published method for employees, vendors, and customers to report suspected wrong-doing.
 
Internal audits detect 14% of frauds.  An independent internal audit function is a requirement for public companies and a necessity for large businesses that are interested in receiving objective opinions about the effectiveness of their operating procedures and controls.  But a small company can either outsource periodic internal audits or allow an objective employee to perform limited reviews to make sure the checks and balances are working.
 
Bottom line: Ninety-three per cent of all occupational frauds in the US are caught internally. This is small fraction of the frauds that are prevented by a positive environment and a strong internal control system.

Ask me how you can prevent fraud in your business.

What Does Your Annual Audit Opinion Really Mean?

I recently read an article, authored by a Certified Public Accountant, about what non-profits should do to get ready for their annual audit. It was about identifying risks and establishing internal control.   This article jumped out at me because if you just read the title, and maybe if you read the article and you don’t have an audit background, you’re going to think that the whole objective of having great internal controls is to look like you’re managing your risk so you’ll “pass” your financial statement audit.  Many small businesses and non-profits believe that getting a financial statement audit verifies that their business is free of fraud, has sufficient internal control, and that receiving an unqualified opinion means that they don’t need to be reviewing and tweaking the internal control system on a regular basis. 

That’s just not true.
 
The purpose of a financial statement audit is for an independent objective party (the CPA) to certify that in his opinion, your business’ financial statements fairly present its financial position, i.e. the financial statements are somewhat correct.  Have you ever closely read the whole audit report? Go read your last audit report after you read this post and call me.
 
To illustrate, the following paragraph is from a real audit report. I lifted it off an actual annual report for a local non-profit. (Oh shut-up it’s right there on their website.) Names are X’d out but I added italics.
 
“Management is responsible for maintaining X’s system of internal control that includes careful selection and development of staff, proper division of duties, and written policies and procedures. Although there are inherent limitations to the effectiveness of any system of accounting controls, management believes that X’s system provides reasonable assurance that assets are safeguarded from unauthorized use or disposition and that the accounting recordsare sufficiently reliable to permit the preparationof financial statements that conformin all materialrespects withgenerally accepted accounting principles.”
 
The above paragraph leads you to believe that this CPA firm didn’t perform a separate internal control review. Instead, they took management’s word that the system of internal accounting control is sufficient.  I’m sure management really believes that their internal accounting control is sufficient.  After all, they can trust their employees (don’t get me started). I happen to believe that in this situation the audit firm doing this audit should not be using management’s assurance of the control system’s reliability.  Why?  Because the CFO and the Controller of this non-profit don’t have a single accounting or audit background between them. They have lots of non-profit experience, but there’s nothing in either of their backgrounds that would suggest they know how to establish a strong system of internal control. 
 
But there’s more to this report:

“The Board of Directors, composed exclusively of independent, outside directors, meets annually with the independent auditors and through the audit committee meetsregularly with the independent auditors to reviewaccounting and internal control matters. Part of these meetings are conducted with no staff present…”
 
I suppose once a year is regular enough. The Directors, who are probably volunteers, (not a single one of whom is an accountant --I looked them up -- much less a CPA), meet with the auditors to review internal control matters.  My guess is that none of the Directors would know an internal control if it sat in his lap. (Oh, come on, I’ve been on plenty of volunteer, non-profit boards.) 
 
Then there’s the explanation for what the audit firm is actually responsible:
 
“Auditor's Responsibility
Our responsibility is to express an opinion on these financial statements based on our audit. We conducted our audit in accordance with auditing standards generally accepted in
the United States of America. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are freefrom material misstatement.
 
“An audit involves performing procedures to obtain audit evidence about the amounts and  disclosures in the financial statements. The procedures selected depend on the auditor's
judgment, including the assessment of the risks of materialmisstatement of the financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity's preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity's internal control…”
 
If the auditors see a material misstatement or recognize a fraud, they will alert management and probably won't issue an unqualified opinion. But what about the internal control weaknesses that management doesn’t know about? Those weaknesses, the ones that management isn’t aware of, are the most serious; they’re the ones that expose the business to errors and fraud.  Did the auditors perform extra testing in those areas that no one knows are vulnerable?   How could they have? Management is responsible for internal control and management said it was fine.
 
Also, pay attention to the word “materiality.” Financial statement items are material if they can influence the economic decisions of users. Maybe materiality was set low, like $10,000. More likely it was $100,000. What if there’s a bookkeeper or cashier who is skimming $5,000 every year?  That’s not material relative to a financial statement audit.  If you manage that small business or non-profit, you know that even immaterial theft is VERY.  DAMN. IMPORTANT.  It’s not just about the money.  And again, the auditor didn't express an opinion on the effectiveness of internal control, nor are they claiming there is no fraud,  because they relied on management to tell them that internal control was sufficient.
 
Now for the big reveal -  The Opinion:
 
"In our opinion, the financial statements referred to above present fairly, in all material respects, the financial position of X, as of December 31, 2016, and the changes in its net  
assets and its cash flows for the year then ended in conformity with accounting principles
generally accepted in the United States of America."
 
What does the opinion really mean? It means that the auditor thinks your financial statements are fine. That's all.  How do you feel about it now?  Next year, ask your auditor exactly what it means to receive an unqualified opinion - don't just take my word for it.
 
But no matter: hooray!  You passed your annual audit. Go for drinks after work! 
 
Because tomorrow, now that you’ve read this post, the real work begins.
 

The Case Against the Employee Who Does Too Much

 

I receive daily Google alerts for articles about employees who are caught embezzling.  There are a lot of articles.  I know that the cases I hear about are a very small percentage of embezzlements that are investigated.  I also  know that embezzlements that are investigated are a very small percentage of situations that should be investigated
 
Why? Because business owners don't know what to look for or they don't want to acknowledge the problem.
 
Most of the cases I hear about or handle personally have one thing in common: an employee who does too much.  Many, if not most, small businesses and non-profits become victims of an employee who does too much.  They become the victim of 'the employee who does too much' for numerous reasons - my experiences with this problem are discussed below.
 
1. They can’t afford to hire another employee. 

They can’t really afford to lose money to fraud either, but they either don't know any better or they ignore or accept the risk. There is something the business can do when they have an employee who does too much. The owner, executive director, or “management,” should be involved or at least provide knowledgeable oversight for whatever process the employee controls.
 
2. It hasn’t occurred to them that the employee who does too much would take advantage of her absolute and total control over the cash and accounting process.  

I recently spoke to a business owner who found out that her bookkeeper had been stealing from the business for over 15 years. When the bookkeeper was arrested, she confessed. When asked “why?” Her response? “Because it was so easy.”  I investigated a physician practice embezzlement. The office manager was the employee who did too much. She was also the physician’s next door neighbor. Trust is not a control, friends.
 
3. The Ostrich: they really don’t want to know.  

Believe it or not, I frequently encounter an ostrich. The employee who does too much does SO much, that if she was caught stealing, the ostrich would have to do something about it. But he doesn’t want any more on his proverbial plate than he has already. He’s convinced himself that, even though she (the employee who does too much) can take lots of money AND cover it up, the business is still making lots of money, so he doesn’t want to rock the boat.  But is the business making as much money as he thinks it is???   Owners and managers with little time will convince themselves that the employee who does too much is irreplaceable. Think about the message this sends to anyone who suspects. Fraud prevention starts at the top. Someone needs to put their foot down. But truth can be stranger than fiction.

4. Sometimes, the business is growing so fast, no one has taken the time to stop and think about what everyone is doing.  

Especially if everything is getting done. What was once a small business whose owner could provide plenty of detailed oversight is now a bigger company with lots of orders and clients and a once part-time bookkeeper who is now working full-time because she’s become the employee who does too much.
 
5. Or maybe, the business is growing so fast that the owner suddenly realizes he doesn’t have time to do the bookkeeping. 

He wants it off his plate YESTERDAY.  So, he hires an accountant.  He’s so relieved to quickly find someone familiar with Quickbooks that he fails to check references or do a background check.  Yeah…she’s real familiar with Quickbooks.
 
This list can go on and on.  Unfortunately, if the employee who does too much is really good, there won’t be many typical fraud red flags because she’ll be able to fix the accounting records to cover her tracks.   If you have an employee who does too much, you will want to look for the following behaviors:
 
1. Any employee who handles assets – cash, checks, credit cards, receivables,  inventory, equipment – who is responsible for more than a couple of steps in the process is an employee who does too much. 

2. An employee who does too much becomes very protective of her work, her system, and gets defensive or resistant about making changes or receiving oversight. 

3. The employee is coming in very early in the morning and/or staying late, or in any way seems to have more work to do than she should. 

4. Changes in the lifestyle or work habits of an employee, especially one who does too much. 

5. Any employee who has unrestricted access to your IT system.  

6. An employee who does too much who also has personal problems: divorce, a sick family member, personal addiction or a family member with addiction issues, etc. 

I realize that all of you on my mailing list have a great internal control system at your business because you read all my newsletters. Right?  You are the exception. It’s much more difficult for an employee with limited access and responsibility to embezzle money. So help your friends, clients, and colleagues who are business owners, managers or executives by raising your voice against the employee who does too much (and by sending this post to the unenlightened).

 

What is BizSafe, Anyway?

I recently completed an exercise designed to help me with my elevator pitch.  I thought this exercise might make a good newsletter - it's been awhile since you've heard from me. So here goes:  The first question was...

Who Are You?

I’ll skip the obvious because you’re about to hear the elevator-is-stuck version of the Wessel Forensic Accounting elevator pitch.

The second question (since I’ve explained that my company is in the business of investigating fraud and also has a great fraud prevention service called BizSafe) is:
 

What is BizSafe?

BizSafe is a conversation, not an audit and definitely not software, about how your business accomplishes its objectives.  It’s a conversation about your policies and procedures, even if they aren’t written down. My partner and I ask you questions about what you do and how you do it. Examples: How and from who do you receive income? Who mails checks to vendors? How do you assign passwords? Who reviews your server logs?  Who locks the doors at night? Pretty basic but very important stuff that tends to get overlooked when you get busy. When we have all our questions answered, we write a report that includes our findings - weaknesses that we identified in your practices and procedures that expose your business to mischief and mistakes - and our recommendations, easy ways to change so you can plug the holes and eliminate or mitigate mistakes. And mischief.
 

 Who Needs a BizSafe Review?

A BizSafe review is important for any organization that is large enough to hire employees and delegate responsibilities. In other words, the owner or management is no longer watching all transactions as they occur.  It's especially important for small businesses and non-profits because they frequently don't have the knowledge, need, or resources to set up protection at the start. Then when business picks up and they're hiring employees, they don't have time to think about it.
 

The Last Question: 
So What?   

HA! That’s the next post. And considering my posting record, you might not get an answer until next year sometime. You can learn some interesting stuff in the meantime if you follow me on Twitter.  But if there’s a middle-aged woman working in your office, you may want to give me a call. 


REMEMBER: TRUST IS NOT A CONTROL!

Wessel Accounting and Portfolio offer free security reviews for non-profits in 2016

By Laura Haight

There is no way to know for certain how many nonprofits were hacked in 2015 or are in the process of being hacked right now. But many security organizations and cyberthreat analysts believe it is at least as high — if not higher — than the rate for small business.

Like small businesses, nonprofits are disproportionately victimized by fraud and hacking as well as underprotected by controls and detection measures. This assessment from the Association of Certified Fraud Examiners is a wake-up call for nonprofits that do not realize how at risk they are. To support the nonprofits serving critical needs in the Upstate, Portfolio and Wessel Accounting are offering to provide their BizSafe Security Review for free to one local nonprofit each month through 2016.

BizSafe is a scalable tool to help assess, identify and mitigate the veracity of internal controls and security procedures that could be leaving a business or nonprofit vulnerable to hacking, cracking or fraud. The service is jointly provided by Laura Haight, a former IT executive and president of Portfolio, and Kelly Wessel, former director of internal audit for the Greenville Health System and president of Wessel Accounting.

Although periodically news of a hack or exposure of a nonprofit comes to light in the news, there is a shortage of hard data to analyze. Experts like the the ACFE and the Hauser Center for NonProfit Organizations at Harvard University, see this not as a lack of risk but a lack of public reporting.

In the small business sector both the National Small Business Association and Symantec reported that in 2014 more than 60 percent of small businesses in the US. were hacked. That trend only expanded in 2015, every cyber expert admits. Across the board, the ACFE estimates that 6 percent of revenue for all businesses is lost to fraud or hacking. In many cases, attacks and embezzlement that the business is unaware of. When it comes to cybercrime, the FBI has stated that most businesses have a hacker in their systems for 18 months before they even realize it, and most find out when the FBI comes knocking at their door.

Experts believe nonprofits are at least as vulnerable - and most more at risk - than other small businesses. In addition to detailed donor databases including names, addresses, donation amounts, banking information and even in some cases credit cards, nonprofits have information about grants given and received, as well as clients they serve. They may have health records or family information. All of these are important data points that hackers or cybercriminals will use to build a profile and hack identities. Additionally, websites are particularly vulnerable because they are often not regularly updated or have support staff to fully monitor their security.

“Kelly and I are very concerned about the vulnerability of nonprofits and we hope that by offering our BizSafe service to some local organizations we can raise awareness about the risks, the availability of solutions and the importance of educating and protecting ourselves, our businesses, our donors and our sustainability,” noted Haight.

You can learn more and nominate your favorite nonprofit by visiting the BizSafe website: http://www.bizsafesc.com/nonprofit-program/.

For more information, contact laura@portfoliosc.com or kelly@wesselaccounting.com.

 

5 Controls for Very Small Non-Profits

5 Controls for Very Small Non-Profits

Strong internal controls dictate a separation of responsibiities to provides checks, balances and oversight. For small businesses and nonprofits, that can be unrealistic. But there are some basic procedures that even very small offices can manage to protect themselves from fraud.

Praise the Lord and Pass the Internal Control

Do you go to church? Have you ever been to a church? I’m not asking because I’m worried about your soul. Have you ever wondered what happens to the collection that is taken during the service? You should find out. If you tithe, do you carefully check your record of tithes against the statement sent to you by your church? If not, you need to start.

Case Studies: The Fraud Triangle and the South Carolina Hospitality Association

The fraud triangle is a model that is frequently used to illustrate the factors that can cause someone to commit occupational (workplace) fraud. Most occupational fraud isn’t committed by seasoned or experienced criminals. It is rather an issue of three factors: opportunity, pressure, and rationalization.

THE METHADONE CLINIC THAT WAS.

If the objective of this newsletter series is achieved (and assuming you read my newsletters BEFORE you delete them) you will all become so fraud -savvy I will eventually write myself out of a job. Maybe I should think this over.

I realize that your business probably doesn’t have the type of problem illustrated by this case.  However, if you know someone who might benefit from this information, please forward this newsletter to them.

THE METHADONE CLINIC THAT WAS.
 This story was donated  by a contact in law enforcement.

I’m not going to assume that  you know what a methadone clinic is.  According to Wikipedia,  “A methadone clinic is a clinic which has been established for the dispensing of methadone, a schedule II narcotic analgesic, to those who abuse heroin and other opiates.”  I’m not going to be a smart-ass and say that the business-type is the first red flag.  We would assume that the employees of said clinic don’t necessarily have the motivation to obtain funds illegally. But there are all sorts of motivations — a topic for another newsletter.

THE FRAUD
The only front office employee at this clinic was receiving  payments from patients and diverting some of the cash to his wallet.  When patients came in, their name, patient number, service date and time would be logged into the accounting system.  The perp  (I love cop-speak) would delete the patient visit and payment from the accounting system and pocket the cash.  There were  so many procedural no-no’s found in this situation my head spun. In fact, I think the only thing that was right was the mission of the clinic.

RED FLAGS
The first actual red flag probably wasn’t considered a red flag, it may have even seemed a blessing:  the clinic’s patients only paid in cash.  And what business is going to say “Sorry!  Your cash isn’t accepted here because one of our employees might steal it “?   Cash is cash is cash and when a business accepts cash as a payment there needs to be extra accountability. The red flag? CASH.  Why do mail order companies ask you to not send cash in the mail?  Because eventually, someone is going to open the envelope. You fill in the blanks. It’s CASH!

Cash can be the cheapest form of currency for a business because it incurs no processing fees, NSF, or collection fees.  But it can be a pain because it’s impossible to track and therefore,  it’s easy to steal (NOOOOO, you think, not MY employees!)  There’s no electronic record, check number, or copy in the bank vault.  When a business takes in a lot of cash payments, it must have additional checks ( pun intended) and balances.  For instance, don’t let the same person collect the cash AND enter the payment into the accounting system.  An employee who handles cash probably shouldn’t have  log-in credentials for the accounting system.

The other red flag?  Doses dispensed > income.  The owner noticed that methadone doses dispensed were plentiful but income was not.  This might have been a “notice” in hindsight.  My details here are a little sketchy.  But the owner either noticed the inconsistency and didn’t act,  or he noticed it after  the fraud was uncovered.  Either way, SHAME ON HIM for either 1) looking and not acting; or 2) not looking; or 3) looking AND NOT KNOWING WHAT HE WAS LOOKING AT.  No excuse. Sheeeesh.

DEFINING MOMENT (for the perp)
One of the patients called in after  his visit and asked for a receipt for his payment.  He must have talked to  someone other than the perp (who probably took the day off to spend his money).  They couldn’t find a record of the payment. They couldn’t find record of the service in the accounting system.  For all I know, they couldn’t find the patient’s name in the accounting system. But the pharmacy had a record of the methadone being dispensed.

BIG BLACK HOLES (i.e. , CAUSES)
I could write an encyclopedia on how this could have been prevented.  I’m sure the detectives who actually investigated this case DID school the owner.  The basics, since we don’t have time for everything:

  • They didn’t separate duties;
  • They didn’t carefully check behind an employee that had too much responsibility;
  • They weren’t smart about assigning log-in credentials. Every employee doesn’t necessarily need access to the accounting system.  NO ONE should be able to delete records;
  • They didn’t understand the controls available in their accounting software. They used QuickBooks but they didn’t use it well;
  • Someone wasn’t paying attention;
  • No meaningful account analysis was being performed;
  • Did they run an employee background check?  I don’t know.  It may have helped.

THE FALLOUT
This little not-for-profit clinic paid the ultimate price: it lost $73,000 and had to close its doors. I don’t know what happened to the perp.  But even if he was arrested, prosecuted and found guilty, I’m sure he eventually got another job (or will).  Does your business run background checks on employees?

‘Til next month…..

Summary Block
This is example content. Double-click here and select a page to feature its content. Learn more

Case Studies: Fraud, Forensics, and other Random Felonies, Flaps, and Five-FInger Discounts.

The best way to protect yourself from crime is to learn the lessons of other victims.

That’s what I hope to do in a monthly newsletter which will focus on case studies. The cases will be actual frauds or cases of intentional regulatory non-compliance.  In each one I will look at what happened, what the red flags were, how the frauds were uncovered, and what the fallout was. The names will be changed to protect the innocent. Seriously, the victim.  Many of the frauds in our case studies could have easily been prevented. And as much as I’d love to throw the perpetrator under the proverbial bus, I don’t want to name names when illustrating the stupidity, in some cases, naivete, of the victims.

Before I start analyzing case studies,  I’m going to explain the most common red flags of fraud.  Some of the red flags are no-brainers but are still repeatedly overlooked by management and business owners for all sorts of reasons.

  • Employee lifestyle changes.  If the minimum-wage mail room clerk drives to work in a new Bugatti, it’s time for an audit.
  • Employee with significant credit problems.  Are debt collectors showing up to see an employee? Yikes!  Use discretion, but listen to the talk around the water cooler.
  • Refusal to take a vacation.  And you thought the bookkeeper was really dedicated, or had no life.  There’s a reason banks require their employees to take week-long (or longer)  vacations.
  • Lack of separation of duties. This is difficult for very small businesses.  But should your secretary (or anyone, really)  be opening the mail, posting customer payments, taking the deposit to the bank, reconciling the bank statement,  answering phone calls, making collection calls, or any two of the above?  The same goes for inventory.
  • Management (or a manager) operates “fast and loose” with rules, details, procedures, etc.  and gets away with it.
  • Unreconciled bank statements. Or unusual reconciling entries: something other than outstanding checks. But take a close look at outstanding deposits. Yes, last Thursday’s deposit really should be on the bank statement that was printed four days later.

I could go on and on. But you get the idea and if you don’t unsubscribe from my newsletter, you’ll learn a lot more. Even better, forward it to someone you think may need a “heads up.”