While every employee might not be stealing, a report from ACFE reveals that fraudulent behavior might be more common than expected.
Over the past decade, business owners have become quite privy to the dangers and signs of fraud schemes. While credit alerts and vendor screenings have become somewhat second nature, business owners continually overlook one of the most common sources of fraudulent activity — their employees.
Statistics show that employee theft is frequently more damaging to businesses than other potential scams, and that more often than not, the perpetrator is a long-term employee or someone that the owner would least expect.
From high mortgage debts, climbing costs of living, budget cuts, and increasing costs of health care, there’s a clear (potential) motive for employees to turn to fraudulent behavior. A 2016 study by the Association of Certified Fraud Examiners revealed that a typical organization loses 5 percent of annual revenue to fraud, with the median loss being $120,000.
This isn’t to say that every employee is stealing, but it is an indication that it might be more common than you expect. If internal controls are weak or nonexistent, the likelihood of theft occurring increases, and therefore, so does the potential loss.
What can companies do to protect themselves? Improving or establishing internal controls is a very easy and generally cost effective way of mitigating the risk of potential loss.
Having a strong set of internal controls is the most effective and efficient way of protecting yourself against those looking to skim money off your bottom line. This does not need to be a complete internal control evaluation and implementation, but evaluating key transaction cycles and putting controls in certain key steps can go a long way to minimizing the risk of employee theft.
Meeting with your management and finance group, or even a contractor hired to assist with internal control evaluation, can help you to develop a list of areas where controls could be improved — the “low hanging fruit.”
From there, you can use the list to help determine how those controls can be implemented cost effectively. You can also choose to delve deeper into further analysis in other areas and implement additional controls over time.
10 signs there may be an issue:
1) Unexplained variances between budgeted and actual costs.
2) Large liabilities related to unexpected contracts.
3) Employees living beyond their means or making sudden big-ticket purchases.
4) Abnormal changes in account balances.
5) Unusual write-offs or questionable transactions.
6) Shortages in cash, investments or other assets.
7) Abnormal employee behavior (increased complaints, secretive about job function, unwillingness to cross-train, refusal to use vacation days, diversion of scrutiny under audit).
8) Infrequent or late financial reports.
9) Accounting staff is behind more than 3 months on preparation of monthly bank reconciliations.
10) Unexplained inventory shortages.
Even if your company has never experienced an employee theft (that you are aware of), it’s a good idea to have the right controls in place to prevent attacks from happening in the future. There are two categories of controls: passive and active.
Passive controls exist to prevent someone from having the opportunity to commit fraud, while active controls prevent the possibility of fraud occurring in the first place. These controls are often complex, multi-levels of review and approval, but can often be simple or subtle changes in your day-to-day processes and procedures.
Types of passive controls:
1) Audit trails and traceable trails
2) Review process and procedures
3) Focused or surprise audits
5) Rotation of personnel
Types of active controls:
1) Segregation of duties and functions
2) Physical asset control (locks, check out systems passcodes, etc.)
3) Document matching
4) Signatures, signoffs, and document countersigning
5) Passwords and PINs for mobile devices and computers
It’s important to remember that internal controls are a process, not a means to an end. They must be properly communicated, remain consistent, and always stay enforced.
In order to work effectively, internal controls must be persistently followed by every employee, manager and even owners. If the controls are haphazardly enforced, apply to only certain employees, or cover only certain transactions, the company’s likelihood of theft increases.
If the wrong employee starts to understand the pattern or the weak spots in your controls, the areas where the control is not enforced may be manipulated to their advantage. If your employees see that someone is routinely reviewing transactions, entries and documents, then the chances of them attempting fraud will be mitigated to some degree.
10 best practices to implement now:
1) Use payee positive pay and utilize direct deposit for payroll.
2) Have Automated Clearing House (ACH) Protections.
3) Daily reconciliation of bank accounts.
4) Implement vendor verification procedures.
5) Have controlled access to all payments and processing areas.
6) Segregation of duties: Ensure that the person reconciling the bank accounts is different than the check signer and the person mailing the checks. Also be sure the person preparing daily bank deposits is different than the person posting customer payments to the general ledger.
7) Have as few bank accounts as possible: Be extra cautious if your organization has multiple bank accounts and know the business flow of each.
8) Have the bank statements delivered to an alternate address so the cancelled checks or check copies can be scanned for forged checks, or for changed check values or payees after review and signature.
9) Question accounts that you are unaware of or may not know a lot about.
10) Set up an anonymous way for your employees to alert you if they have concerns or suspect fraud – whistle blower hotlines are very effective for getting tips about possible fraud.
While these best practices are a great start to building a strong safeguard, it’s a good idea to leverage a third party to review your business and uncover potential problems.