If you discover an employee is embezzling from your company, you’re likely to act quickly to learn the extent of the fraud and how it occurred. But if you’re like most business owners and managers, you may not be as quick to search for weaknesses before a thief gets a chance to exploit them.
Under the Sarbanes-Oxley Act, publicly traded companies must conduct fraud risk assessments. Privately held businesses are under no such legal obligation, but it’s in their best interests to assess their fraud vulnerability with the assistance of a financial expert. In fact, a thorough risk assessment should be the core of every company’s antifraud program.
Don’t Let Fraud Get a Foot in the Door
If your HR department doesn’t already, it should make background checks a routine part of your company’s hiring processes. People with heavy credit card debt or gambling abuse problems, or who are embroiled in litigation, for example, may be willing to do whatever it takes to get the money they need.
What’s more, job candidates with criminal records — even a history of traffic tickets — may be less likely to follow your company’s ethical guidelines. And they could be adept at breaking the rules without getting caught.
But where in the company do you start looking for vulnerabilities? Accounts payable? Purchasing? Information technology? A comprehensive fraud risk assessment should include all those areas, and more; you really can’t afford to skimp. If you close a door in only one department, employees bent on fraud will find openings elsewhere.
Look at your internal controls in the same way a dishonest employee would assess them — as opportunities with relatively little risk of exposure. There are four major ways employees might exploit holes in your system:
1. Fraudulent financial reporting, such as improper revenue recognition and overstatement of assets,
2. Misappropriation of assets, including embezzlement or theft,
3. Improper expenditures, such as bribes, and
4. Fraudulently obtained revenue and assets, including tax fraud.
Some schemes, such as payroll fraud or kickbacks, may involve external people in addition to internal ones. And bear in mind that fraud may be limited or widespread — affecting everything from individual accounts to entitywide processes. Your controls should address all levels, as well as all types, of fraud.
Start assessing your risk by interviewing executives and managers. They’ll provide you with a first glimpse of potential risk areas. Perhaps more important, these conversations will help you judge whether company leaders are setting the ethical “tone at the top” that’s integral to fraud prevention.
Next, identify the number and names of employees who handle or review accounting functions. How many, for example, reconcile bank statements or are authorized to make bank deposits? And are accounting employees required to take at least one week of vacation each year? The fewer employees involved in financial functions, and the less vacation time they take, the greater your risk for fraud.
Spreading accounting and banking duties across multiple employees — or shouldering some of the review processes yourself — provides segregation and oversight that are essential to deterring fraud. Regularly review organizational charts to ensure constant segregation of duties.
Other issues to consider include:
Key Performance Indicators. Entitywide fraud can show up in the performance of sales goals or inventory management. It’s important to take fraud risk into account when establishing key performance indicators, as well as to review them regularly with an eye to the unexpected.
Fraud-Risk Management Budget. Compliance training, internal controls monitoring and ongoing risk reviews take time and money. The extent and cost of such activities will vary among companies, but they should be included in your business’s budget.
Strategy Updates. Risks change, and you need to change with them. Evaluate your risk management practices regularly — annually, if possible — to identify and address any new weaknesses.
Focus Where It Matters
When analyzing your findings, remember that your company’s processes, procedures, programs and policies make you unique. Your results aren’t likely to be the same as those of other companies — even in the same industry. That shouldn’t keep you from benchmarking against best practices, but you should concentrate on your own areas of greatest risk. A manufacturer that regularly purchases parts inventory may have more risk of procurement fraud, for example, than a consulting company that buys only office supplies.
Next, consider less-critical areas. Typically, you should have one key control for each risk. If payment authorization is a risk area, for example, you could require multiple approvals for expenditures over a certain amount. Alternatively, if the risk is great enough, you may decide to alter a business process to remove the risk rather than attempting to control it. If you determine that a manual check-writing control is inadequate, for example, you might choose to automate check payments rather than add more controls to the manual system.
Be sure to assess all the risks associated with a process, too. For example, you’ve probably surrounded your IT network with firewalls, virus protection and other guards against outside invaders. But are you guarding against intrusion from inside the fence? Keep activity logs for company data servers and monitor use of office phones and company-issued mobile phones. Require employees to password-protect sensitive files, and make sure that difficult-to-guess passwords protect network access.
Finally, if you don’t have a fraud hotline, consider establishing one. Time and again, research has found that tips from employees are one of the most effective ways to expose fraud. To be successful, though, hotlines must be convenient and confidential. You may also want to establish a hotline for customers and vendors — or give them access to the employee tip hotline.
Regardless of what your fraud risk assessment reveals, you need a strong antifraud policy — which you can create with a financial expert’s assistance — and you must communicate it regularly and emphatically. One of the best deterrents to fraud is a company culture in which fraud is absolutely not tolerated. If you’re visibly committed to honesty, integrity, fairness and equity in all your operations, your employees will follow suit.
Click Here to learn more from our Fraud Investigation team.