Fraud plagues organizations of all shapes and sizes, even (or maybe especially) small to mid-sized businesses. Internal fraud (aka occupational fraud) is one of the most common forms of fraud impacting organizations of fewer than 100 employees. For these businesses, internal controls are critical for protecting private company data and assets. Proper internal controls ensure reliability of financial reporting and the flow of information into an organization’s accounting system.
Below we discuss a few relatively simple internal control systems that prevent internal fraud, such as payroll and accounting fraud.
Segregate Duties
When thinking of internal controls, most of us think of segregation of duties. Small and medium-sized organizations tend to struggle the most with segregation of duties merely due to the number of employees and resources.
For a majority of these organizations, there are just one or two employees handling the books and therefore working on all aspects of the accounting process, including authorization, execution, custody, and the posting of transactions to their accounting system. Ideally, the processing of cash receipts and payments is separate, with different people approving invoices, preparing checks, signing checks, and reconciling the bank accounts. Allowing one individual to handle cash or checks, deposit cash or checks, and post those payments in the accounting system increases the risk of fraud.
In addition, accounting professionals often have the opportunity to create new vendors, including fictious ones. The employee can then list their own financial details under the fictitious vendor profile, and if there is no monitoring in place, an employee sends “payments” to said fake vendor, leading to stolen cash.
These processes must be segregated amongst different individuals or monitoring processes should be implemented. If this is not possible for an organization, it is beneficial to consider an outsourced accounting department to handle accounting processes as they are able to implement the necessary components of internal controls and segregation of duties.
Limit Accounting System Access
Access to accounting systems and financial information is another area of opportunity within small and medium-sized organizations an employee uses to manipulate data to defraud an organization. Accounting software systems allow users the right to edit, add, and delete transactions, vendors, and customers. In general, it is best practice to provide the lowest level of permissions an employee requires to complete their job functions efficiently and effectively. Additionally, we strongly recommend organizations set up separate login information for each employee, and do not allow employees to share accounts or log in under a single account. This can become crucial if an investigation takes place, ensuring that we can reliably determine who made which changes within the system.
An outsourced accounting department with administrative rights to the accounting software would greatly reduce the chances of any employee being able to create false entries and/or delete transactions. The additional oversight creates a “check and balances” approach to the accounting process, ensuring instances of fraud are caught quickly, therefore, stopping the fraud loss before it becomes a bigger problem, and discouraging other employees from committing fraud in the first place.
Keep an Eye on Payroll
Another area within an organization that may be prone to internal fraud is the payroll department. Common payroll fraud scenarios include: employees inflating hours worked on his or her timesheet and fictitious or “ghost” employees. These fictitious employees are established in the payroll system to appear as if they are an actual employee, but the ACH details direct the payments to a fraudster, allowing the individual to steal money through fake wages (similar to fictitious vendors).
Small and medium-sized companies typically manage payroll in house, which leads to a greater risk for these types of payroll fraud. Outsourcing payroll along with your other accounting functions enables necessary internal controls over the payroll process and can even include a time tracking system that is monitored and reviewed by outside accountants for accuracy and reliability. If outsourcing the payroll function is not an option, having a second or third individual involved in the approval process often deters fraud. Periodic reviews of the employee payroll registers by an employee or owner who does not prepare payroll can also assist in detecting these schemes.
Don’t Neglect a Fraud Risk Assessment
Beyond the tips we included above, small and medium-sized business owners may want to seek out accounting or audit professionals to complete a fraud risk assessment and assist with the establishment of effective internal control activities, including segregation of duties. All internal controls should be tailored to a specific business based on organizational needs and risk tolerance levels. Often, a risk assessment professional uses the COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework to identify useful preventive controls and address control deficiencies.
A system of internal controls is not just for fraud risk management purposes. Control systems are also used to prevent costly mistakes and ensure accuracy of financial records (like financial statements). Every employee makes a mistake at one point or another, especially when swamped or fatigued. Setting proper controls helps your team operate accurately and efficiently.
Reconcile Bank Accounts on a Regular Basis
Regularly reconciling bank accounts won’t stop fraud. However, your team may spot suspicious activity quickly and empower them to report their suspicions. Many misuses of company funds are identified through a reconciliation, such as misuse of a company credit cards or unauthorized payments using checks and wires.
Keep in mind that it’s just as important to frequently reconcile bank accounts as it is to choose the right individual to perform the task. The person reconciling bank accounts should never be the same individual completing bookkeeping or payment activities—it’s like grading your own test.
Positive pay is also an excellent tool to prevent fraud. By using positive pay, your bank matches checks presented for payment against a list your business provides. This list should include check numbers, amounts, and vendors. If the checks provided do not match the information presented on this list, your bank rejects the check, keeping your money safer.
Establish a “Fraud Hotline” or Whistleblowing Reporting Mechanism.
By far, the most common fraud detection method reported by investigators is a fraud hotline or whistleblower reporting mechanism. More instances of fraud are detected by these simple mechanisms than audits (internal or external), management review, and account reconciliations combined.
These mechanisms are easy to establish and cost effective. If there were one simple step that a company can take to prevent and detect fraud, it is this one. Employees should be made aware – and periodically reminded – of the whistleblowing reporting mechanism and encouraged to report if they notice any suspicious activity.
Review Processes Periodically
Internal control processes and policies should be reviewed on a regular basis—at least annually. Determine what is working, what isn’t, and what procedures should be changed. You don’t need to recreate the wheel—even small tweaks are effective in stopping internal fraud.
Stay aware of how quickly technology evolves—both in terms of tools that protect your business and those that could be used to commit fraud. As new risks emerge, you may need to update your safeguards to stay ahead of potential scams.
No matter the size of your business, it is always possible to reduce or prevent fraud through internal controls. Although you may have faith in your employees’ integrity and ethical values, relying solely on trust as an internal control is ineffective. It’s crucial to recognize that even well-intentioned staff succumb to external pressures and make poor decisions.
If you’re feeling overwhelmed by the prospect of creating a fraud prevention strategy or concerned that you may be the victim of a fraud scheme, reach out to our fraud and forensics team for support.
