Sarah Harrison, Senior Auditor
It’s Business Now, But It Started Out Personal
I learned about asset misappropriation at an early age—first, when learning how to count the shop’s nuts and bolts and agreeing to a count sheet for “Take Your Kid to Work Day;” and then sleuthing how the family car went missing from a controlled-access garage in the Texas Medical Center. Some eight years later, the now-worn Buick was miraculously returned, but we noticed that the engine wasn’t the “factory original.” The VIN on the engine block didn’t match either our records or the windshield. I’ll spare you the suspense…the engine was never found, and the original thieves were never caught.
There has not been a single year of my life where fraud has not reared its head, and I still can’t say I’ve seen it all. In the time our little old car was missing, I’d grown up and headed off to college. I knew of friends who were clocked out by their boss while they were working, and others who watched theft taking place and had nowhere to turn to report it. Cash faded from wallets, replaced with plastic rectangles; family members lamented the theft of their credit card number; and the familiar corner store down the street became a hot spot to have your card skimmed. I watched the Enron meltdown in real time.
Then, our stolen car came back…well, mostly. If my interest had not been captured before that moment, checking and rechecking the VIN, I was now dedicated to learning all I could about fraud and staying abreast of new developments. This fascination may have originally been fueled by curiosity, but it is maintained by necessity. There is no small amount of self-interest in this passion. If I know how, when, and where a fraud can occur, I can protect myself. In turn, I can offer what I’ve learned to my clients and advise them on how to strengthen internal controls to detect malfeasance. By learning what factors lead to increased losses, I can also identify methods to help my clients reduce the cost of any fraudulent schemes that they uncover.
It may surprise you to know that most fraud victims recover absolutely nothing. Those who do recapture something generally only salvage a fraction of what they lost, monetarily, to say nothing of morale. I refer you again to our stolen car. The median length of a fraud scheme, as reported in the 2018 Report to the Nations, is 16 months. That means for a full year, and some change, a fraud went undetected and undeterred. It took our car eight years to return. It took my clocked-out friend a week to quit. There’s a lot of variability in each fraud, but generally speaking, the shorter the fraud is allowed to carry on, the less is likely to be lost.
The Big Theory
If you take away nothing else from this discussion, let this stick with you: the key to fraud prevention is the perception of detection. This concept is the driving force behind a majority of controls.
Let’s take a warehouse for example. Will a lock on your warehouse doors stop someone from breaking in? How about a security camera? An alarm system? No, of course they won’t. The lock can be broken, the camera disrupted, and the alarm system relies on someone responding to it before the thief gets away. However, each of these will add another barrier for thieves to overcome. They have to physically break the lock, work quickly before someone investigates the alarm, and will have the nagging worry that the camera saw something that would give them away. Each element builds on the stress facing a would-be thief.
The same holds true for other types of fraud. If your company selects a random payday to hand out physical paychecks, their “ghost employees” may be identified by unclaimed checks. If the store manager is reviewing sales trends and sees an unusual spike in returns, or a dip in cash, they can start investigating whether anyone is reviewing journal entries, or which employee has access to which systems.
One of the controls auditors most recommend is for clients to review their key controls, such as bank reconciliations, reconciling items and journal entries. It’s even better if the person performing the review is documenting what they looked at, and how they resolved any questions they had.
The easiest of these to tackle is the bank reconciliation. The bank statement, itself, should be reviewed periodically for unusual receipts or disbursements with parameters set by the company. A company should also look at canceled check images to ensure the signatures match what they would expect (who is signing, and if that disbursement is within authorized limits and to approved vendors). A quick check of the sequence of checks or wire numbers against the record of payments issued can detect unusual items, as well. Positive Pay, where the bank only cashes an approved list of disbursements, transmitted to them securely, can be a fantastic control if the person transmitting the file is not someone with check signing capability. Ideally, the bank reconciliation should be prepared by someone who doesn’t have check signing capabilities, or the ability to issue electronic payments. Beyond that, a reconciliation should be reviewed by a second person on the accounting team with supervisory capacity. For a gold star, the reviewer should initial the bank statement and the reconciliation, indicating they have completed their review.
A similar process can be put into place for manual journal entries. One person prepares the entry, while someone else reviews supporting documents and necessary authorizations before they approve the entry to post. Departmental or company-wide review of monthly financial results can help detect unusual trends, suspicious increases or decreases, and other items out of line with expectations.
Make no mistake, even with all of these controls in place, a fraud can still occur. Unusual general ledger postings can go unexamined, an out of sequence check can go uninvestigated, especially if no one speaks up. When something seems off, ask questions of the people who have the knowledge to answer. If they don’t know, they can likely point you to someone who does.
I really cannot stress this point enough: a strong ethical and compliance culture is correlated with lower losses and quicker detection of fraud. The Ethics and Compliance Initiative shows that employees in weak ethical company cultures are more likely to observe white collar crimes by roughly 65%. Compounding that, you are far more likely to find out about fraud from an internal tip (the much-maligned whistleblower) than you are from any other method. Over half of all frauds are reported internally by a company’s employees.
Your employees are, and always will be, the best line of defense against fraud. Unfortunately, the other trend to pay attention to is retaliation. Retaliation typically flows from the top down: upper management will retaliate against middle management, who take it out on their subordinates, and so on. Instances of retaliation for reporting fraud are on the rise (nearly doubling from 2013 to 2017), despite a relatively low increase in the number of employees who observed misconduct and subsequently reported it (64% in 2013 to 69% in 2017).
In the same way that the perception of detection decreases your fraud risk, the impression that reporting misconduct will bring harm to the tipster discourages them from speaking up. All but the most ethical of employees would be discouraged by the prospect of losing their job, facing a pay-cut, or experiencing other negative consequences for tipping management off to fraud.
Oh no, it’s happened! Your manager has detected an unusual increase in returns this month. There is a series of out-of-sequence checks in round dollar amounts to an unknown vendor. Your cash drawer is short by hundreds of dollars. Your accounts payable clerk has come to you with an alarming allegation. You’ve taken every possible step, followed every best practice, and you may still have a fraud on your hands. Take a deep breath and reach for your Fraud Response Plan. This doesn’t have to be a detailed plan; in fact, it is highly recommended to keep the plan flexible. That being said, such a plan does need some structure and a listing of resources to draw on.
Keep your initial response low-key. At this point, contact your legal counsel for recommendations on what to do next. They can make sure that you don’t compromise any evidence and help you get started in your investigation. They will likely recommend that you secure any documents or other evidence that might be useful (security camera footage, invoices, check stock…whatever was impacted). This is perhaps the most delicate time in your response plan, where a misstep can cost you evidence that might be useful later, especially if you alert the fraudster to your investigation.
Your lawyer will likely recommend a financial investigator, or a fraud examiner, to help advance the investigation. Your auditors also have a network to draw on, from investigators to specialists. This is a good time to re-read your insurance contract and contact your insurer, as well. Most insurance policies require notification within a set time frame, or you will lose your coverage. Keep that time frame on your radar and contact them right after discussion with your lawyer.
Resist the urge to immediately terminate any suspect employee. Your lawyer can help you decide how to proceed in that regard. Generally, your safest move is to keep the suspect employee from touching or removing anything, besides personal items, from their work area. It is also a good policy to let the entirety of your company know that there is a fraud policy in place, and that tips provided in good faith will be taken seriously. This feeds back into tip number two, above, which is to encourage an ethical work culture and value your employees when they come to you with concerns.
Of course, each of these steps can be tailored to fit your company’s situation. Engaging your lawyer to review the plan and make necessary modifications is highly recommended.
Most business professionals are aware that fraud can happen and keep an eye out for blatant theft; however, they stay blissfully unaware of less obvious red flags. By staying up to date on the latest fraud schemes, implementing a strong ethical culture, and utilizing internal controls, savvy companies can discourage fraud from happening and detect fraudulent incidents sooner.
Audits do not typically detect fraud. In fact, Internal Audit functions detected approximately 11% of the frauds, as reported in the 2018 Report to the Nations. External Audits detected around 3%. However, an outside accounting firm, like Weinstein Spira, provides advice on internal controls and best practices to help organizations prevent or detect fraud. Further, we assist in specialized engagements to test controls or examine certain records.
As an external auditor, I see the big picture, as I’m not buried in my clients’ day-to-day operations and can help them view their risks from a different perspective. When I find a fraud control not functioning as intended, I inform the client and provide suggestions on how to improve it, making them more fraud-proof.
Let us know how we can help.
For more reading and some wonderful infographics, I strongly recommend the Report to the Nations.
For injecting a dose of ethics into your routine, I recommend EthicsStats provided by the Ethics & Compliance Initiative (ECI). ECI provides wonderful information on fostering an ethical workplace.