It’s Business Now, But It Started Out Personal
I learned about asset misappropriation at an early age—first, when learning how to count the shop’s nuts and bolts and agreeing to a count sheet for “Take Your Kid to Work Day;” and then sleuthing how the family car went missing from a controlled-access garage in the Texas Medical Center. Some eight years later, the now-worn Buick was miraculously returned, but we noticed that the engine wasn’t the “factory original.” The VIN on the engine block didn’t match either our records or the windshield. I’ll spare you the suspense…the engine was never found, and the original thieves were never caught.
There has not been a single year of my life where fraud has not reared its head, and I still can’t say I’ve seen it all. In the time our little old car was missing, I’d grown up and headed off to college. I knew of friends who were clocked out by their boss while they were working, and others who watched theft taking place and had nowhere to turn to report it. Cash faded from wallets, replaced with plastic rectangles; family members lamented the theft of their credit card number; and the familiar corner store down the street became a hot spot to have your card skimmed. I watched the Enron meltdown in real time.
Then, our stolen car came back…well, mostly. If my interest had not been captured before that moment, checking and rechecking the VIN, I was now dedicated to learning all I could about fraud and staying abreast of new developments. This fascination may have originally been fueled by curiosity, but it is maintained by necessity. There is no small amount of self-interest in this passion. If I know how, when, and where a fraud can occur, I can protect myself. In turn, I can offer what I’ve learned to my clients and advise them on how to strengthen internal controls to detect malfeasance. By learning what factors lead to increased losses, I can also identify methods to help my clients reduce the cost of any fraudulent schemes that they uncover.
It may surprise you to know that most fraud victims recover absolutely nothing. Those who do recapture something generally only salvage a fraction of what they lost, monetarily, to say nothing of morale. I refer you again to our stolen car. The median length of a fraud scheme, as reported in the 2018 Report to the Nations, is 16 months. That means for a full year, and some change, a fraud went undetected and undeterred. It took our car eight years to return. It took my clocked-out friend a week to quit. There’s a lot of variability in each fraud, but generally speaking, the shorter the fraud is allowed to carry on, the less is likely to be lost.
The Big Theory
If you take away nothing else from this discussion, let this stick with you: the key to fraud prevention is the perception of detection. This concept is the driving force behind a majority of controls.
Let’s take a warehouse for example. Will a lock on your warehouse doors stop someone from breaking in? How about a security camera? An alarm system? No, of course they won’t. The lock can be broken, the camera disrupted, and the alarm system relies on someone responding to it before the thief gets away. However, each of these will add another barrier for thieves to overcome. They have to physically break the lock, work quickly before someone investigates the alarm, and will have the nagging worry that the camera saw something that would give them away. Each element builds on the stress facing a would-be thief.
The same holds true for other types of fraud. If your company selects a random payday to hand out physical paychecks, their “ghost employees” may be identified by unclaimed checks. If the store manager is reviewing sales trends and sees an unusual spike in returns, or a dip in cash, they can start investigating whether anyone is reviewing journal entries, or which employee has access to which systems.
1. Get Multiple Sets of Eyes on Everything!
One of the controls auditors most recommend is for clients to review their key controls, such as bank reconciliations, reconciling items and journal entries. It’s even better if the person performing the review is documenting what they looked at, and how they resolved any questions they had.
The easiest of these to tackle is the bank reconciliation. The bank statement, itself, should be reviewed periodically for unusual receipts or disbursements with parameters set by the company. A company should also look at canceled check images to ensure the signatures match what they would expect (who is signing, and if that disbursement is within authorized limits and to approved vendors). A quick check of the sequence of checks or wire numbers against the record of payments issued can detect unusual items, as well. Positive Pay, where the bank only cashes an approved list of disbursements, transmitted to them securely, can be a fantastic control if the person transmitting the file is not someone with check signing capability. Ideally, the bank reconciliation should be prepared by someone who doesn’t have check signing capabilities, or the ability to issue electronic payments. Beyond that, a reconciliation should be reviewed by a second person on the accounting team with supervisory capacity. For a gold star, the reviewer should initial the bank statement and the reconciliation, indicating they have completed their review.
A similar process can be put into place for manual journal entries. One person prepares the entry, while someone else reviews supporting documents and necessary authorizations before they approve the entry to post. Departmental or company-wide review of monthly financial results can help detect unusual trends, suspicious increases or decreases, and other items out of line with expectations.
Make no mistake, even with all of these controls in place, a fraud can still occur. Unusual general ledger postings can go unexamined, an out of sequence check can go uninvestigated, especially if no one speaks up. When something seems off, ask questions of the people who have the knowledge to answer. If they don’t know, they can likely point you to someone who does.
2. Encourage a Strong Ethical Culture
I really cannot stress this point enough: a strong ethical and compliance culture is correlated with lower losses and quicker detection of fraud. The Ethics and Compliance Initiative shows that employees in weak ethical company cultures are more likely to observe white collar crimes by roughly 65%. Compounding that, you are far more likely to find out about fraud from an internal tip (the much-maligned whistleblower) than you are from any other method. Over half of all frauds are reported internally by a company’s employees.
Your employees are, and always will be, the best line of defense against fraud. Unfortunately, the other trend to pay attention to is retaliation. Retaliation typically flows from the top down: upper management will retaliate against middle management, who take it out on their subordinates, and so on. Instances of retaliation for reporting fraud are on the rise (nearly doubling from 2013 to 2017), despite a relatively low increase in the number of employees who observed misconduct and subsequently reported it (64% in 2013 to 69% in 2017).
In the same way that the perception of detection decreases your fraud risk, the impression that reporting misconduct will bring harm to the tipster discourages them from speaking up. All but the most ethical of employees would be discouraged by the prospect of losing their job, facing a pay-cut, or experiencing other negative consequences for tipping management off to fraud.