The following is an article by Stephanie Laitala, President and Owner of Owl Bookkeeping and CFO Services.
- Minneapolis Office: 3208 W. Lake Street #10 Minneapolis, MN 55416 612.816.6007
- St. Paul Office: 370 Selby Avenue, Suite 300 St. Paul, MN 55102 612.816.6007
Big Concern for Small Businesses
Most small business owners don’t believe that fraud can happen to them, but the reality is that small businesses have every reason to worry about fraud. Small businesses (defined as organizations with fewer than 100 employees) are by far the most vulnerable to occupational fraud. In fact, the per-employee losses from fraud in the smallest businesses are 100 times the amount of their largest counterparts. The average fraud scheme in a small business causes $127,500 in losses. It can be devastating to a company, so devastating that almost a third of all bankruptcies are attributed to embezzlement. Starting to wonder what your potential losses might be? Let me share one other stat that might surprise you. A commonly accepted rule of thumb is that the average company can expect to lose 6% of its revenue to fraud. (Should I pause while you do the math in your head?) This is such an important topic, and I’m glad you’re taking it seriously enough to be here with me today.
Introduction and Overview
During the next half hour I’ll be sharing some insight, based on both my personal experience and on hard data, on:
- Why small businesses are so vulnerable to fraud
- What type of individuals are most likely to commit fraud
- What are the specific schemes that are used most frequently
- What are the measures that have been proven to be most effective in detecting and preventing fraud
Note: During this presentation I’ll be sharing several statistics in some cases to show the magnitude of this problem and in other cases to help you pinpoint the exact areas you want to focus on when tackling the problem. These statistics come from a very current and credible source: The 2004 Report to the Nation on Occupational Fraud and Abuse, from the Association of Certified Fraud Examiners.
Why Are Small Businesses So Vulnerable?
Lack of risk awareness. Business owners are usually hard working, honest, positive and upbeat individuals who project the same attributes on others. Because they are risk-takers with a certain sense of invulnerability, they are not typically suspicious and often fail to create even the most basic financial controls or safeguards for their companies. In smaller businesses people know each other well, and it’s natural for them to trust one another. Indeed, the intimate familial atmosphere of a small business is one of its most appealing features. Most of the time, believing in your coworkers is well founded, but not always. Never having faith in your employees is a bad thing; so is always trusting them. The goal is to strike a balance between the two. To heighten your risk awareness, you should periodically remind yourself that there are others who may:
- Be less honest and straightforward than you
- Think that they deserve to earn far more than you pay them and feel entitled to “adjust” their incoming funds to higher levels
- Perceive that, because you are a business owner, you are a wealthy person and that they deserve some of your money
- Initially intend to “borrow” some funds for a short time but then can’t pay it back. As their cash needs continue, they continue to “borrow” from you.
Lack of financial expertise
Entrepreneurial individuals typically start new businesses by converting years of advanced skills and industry expertise into marketable products and services. A small business owner generally has abundant technical skills (to provide a product or service) and people skills (to sell the product or service). But rarely does he or she have the financial expertise to run a business. Most business owners are happiest when they are producing or selling and would prefer to have someone else handle the financial side of the business. Many owners are uncomfortable working with numbers, or are not interested in investing valuable time to learn how to understand or structure their financial information. When an employee sees that the boss doesn’t know exactly how much money is in the bank, or isn’t interested in reviewing bank statements, they also begin to realize how much they could get away with without fear of discovery.
The bedrock of fraud prevention is the division of responsibilities between employees. The reason is straightforward enough: It is one thing to steal by yourself but quite another to enlist the aid of a coworker. Small businesses rarely have sufficient personnel to adapt adequate controls; “one-person accounting departments” are the rule, not the exception. Consequently, it becomes important for the owner to overcome this deficiency with reasonable oversight, which can be accomplished two ways. First, the business owner should actively understand and verify the financial information reported to him or her. Second, the owner can engage an accounting professional to attest to the credibility of the financial information, even if the company doesn’t have a regular audit.
Who Commits Fraud and Why?
When you take a moment to consider the individuals working for you, you probably can’t think of one that would commit fraud against your company. One thing to keep in mind is that the culprit is often the last person you would suspect. It’s rarely the new worker who’s a total mystery to you. More often than not it’s the person who has been at the company forever and who you trust implicitly. (Most fraud is committed by someone who has worked for you for at least 6 years.) The study by the Association of Certified Fraud Examiners offers an interesting picture of embezzlers. It found fraud committed by managers was 16 times greater than fraud by rank-and-file employees. Fraud losses caused by men were four times those caused by women. People 60 and older committed 28 times the fraud committed by people 25 and under. When you think about it, this picture starts to make sense. In order to steal a lot of money from a company, you’ve got to be in a position of some power and trust. Otherwise you don’t have access to the company’s assets. By definition, all occupational fraud is committed by people we trust. After all, you trusted them enough to hire them and welcome them into your company. Opportunity is generally provided through weaknesses in the internal controls. Some examples include inadequate or no:There arebad people who commit fraud, but more often it is a good person who has found him or herself in a situation that spiraled beyond control. One of the things you have to do when thinking about fraud is alter your belief system. Our tendency is to believe that nobody we hire would steal from us. The reality is that just about anyone will do it if there three factors exist: opportunity, pressure and a rationalization. These three factors make up what is referred to as the Fraud Triangle.
- Separation of duties
- Management approval
- System controls
- Publicized rules and punishments for fraud perpetrators
Pressurecan be imposed due to:
- Personal financial problems
- Personal vices such as gambling, drugs, or extensive debt
- Unrealistic deadlines and performance goals
- Revengeful motives for perceived inequities (for example, underpaid, poor job assignment)
Rationalizationoccurs when the individual develops a justification for their fraudulent activities. The rationalization varies by case and individual. Some examples include:
- “I really need this money and I’ll put it back when I get my paycheck”
- “I’d rather have the company on my back than the IRS”
- “I just can’t afford to lose everything – my home, car, everything”
Who commits fraud? Someone under pressure with a justifying attitude that you have put in a position of trust.
How is Occupational Fraud Committed?
Next I want to cover how fraud is committed and, specifically, make you aware of the types of schemes that are out there and which ones tend to produce the largest losses. Breaking down occupational fraud into distinct categories also helps you better understand the common characteristics, which in turn assists in the development of better antifraud tools. There are three major categories of occupational fraud to consider:
- Asset misappropriation. This is the most common type of fraud, representing over 90% of all situations, and where we’ll focus our attention today. These schemes involve the theft or misuse of an organization’s assets — most often involving the theft or embezzlement of cash. It can include skimming revenue before it is recorded on the books, stealing cash receipts or inventory, or committing payroll fraud.
- Corruption. Fraudsters wrongfully use their influence in business transactions to procure some benefit for themselves or another person. One of the most common is accepting kickbacks or engaging in conflicts of interest.
- Financial statement fraud.The fraud schemes at Enron, WorldCom and Tyco all involved financial statement fraud. This sort of fraud is the most costly per scheme (median loss is $1 million) but also the least common. This generally involves falsification of an organization’s financial statements by overstating revenues or understating liabilities or expenses.
Let me ask you, if an employee could steal any asset, which one would it be?”
In 9 out of 10 cases, the answer is obvious: cold, hard cash. The reasons are apparent. A thief working for a test tube wholesaler would face some challenges fencing the illegal bounty on the black market; a dishonest employee working in the coal mines would need to pilfer tons of the stuff to do any good. But everyone spends money.
Although any other asset of the business is up for grabs, employees usually opt to steal something that is particularly useful to them personally. Consumer goods such as clothing, groceries, electronics and jewelry are favorites. Office supplies and equipment (laptop computers, handheld devices, software and calculators) top the list of hard assets likely to be stolen.
Digging a little deeper, let’s look at how cash misappropriations break out. This is the greatest area of vulnerability for a company. Cash fraud falls into one of three categories:
- Fraudulent disbursements. A perpetrator causes the company to disburse funds from a company’s bank account through some trick or device, such as submitting false invoices or forging company checks. Approximately three-fourths of the cash frauds involved some form of fraudulent disbursement, making this the most common category by far. Schemes that involved a fraudulent disbursement also had the highest median loss, at $125,000.
- Skimming. Cash is stolen from an organization before it is recorded on the organization’s books and records. The usual culprits are salespeople and accounting department personnel. They filch money that should be credited to sales or accounts receivable A common form of skimming is stealing incoming checks from the mailroom. If the check is accompanied by an order for goods, an employee can steal the goods from inventory and send them to the customer.
- Cash larceny. Cash is stolen from an organization after it has been recorded on the organization’s books and records. The employee usually is a cashier or someone with easy access to currency. Because currency is generally closely watched, these schemes are fairly infrequent.
Breaking down fraudulent disbursements even further, you can see that the areas that represent the greatest risk for fraud are billing and check tampering.
In billing schemes, the company pays for goods or services that it does not need or want. An employee commits the fraud by attacking the purchasing cycle. An employee will submit invoices for fictitious goods or services, inflated invoices or invoices for personal purchases; the organization subsequently issues a check to the fraudster, an accomplice or even a shell company. In most instances, a fake invoice is produced for services rather than products, since it is more difficult to hide goods that are supposed to be received. Many times, these transactions are hidden in the accounting system with a charge to “consulting expenses.”
The perpetrator converts an organization’s funds by forging, altering or stealing a check. What many business owners don’t realize is that the mailroom is as opportune a place to steal cash as a bank vault. Much of the company’s money passes through there in the form of incoming and outgoing checks. Checks should be secured with the same diligence you use to protect cash. They should be stored in a locked facility and only those employees who truly need access should have it. Too often, checks that are to be canceled or voided are left lying in someone’s in-box even though they’re still “live” checks. Or unused checks from the last check run are left in the printer tray. I’ve even heard of a case where an accounts payable department had the bad habit of throwing away any checks that had been crumpled by the printer. The checks weren’t voided. A member of the cleaning crew had his own bad habit, which was to rescue those checks from the trash, forge signatures, and cash them for increasingly large sums of money. The thefts weren’t discovered until the account was overdrawn and more than $1 million was gone. This department had also neglected to reconcile accounts for more than a year. Conduct a physical inventory every quarter to account for every check. Zero amount checks and checks that have been canceled or voided should immediately be stamped void so they’re unusable. And someone other than the accounts payable processor who handled the original transaction should be responsible for accounting for all voided or cancelled checks.
An employee enters a claim for reimbursement of fictitious or inflated business expenses.
An employee causes the organization to issue a payment by making false claims for compensation. Example: A controller for a small nonprofit organization, believing she should be earning twice her salary, added a “ghost” employee to the payroll. Since she managed both the bank accounts and the books—a serious internal control deficiency—that was easy enough to do. Every pay period, she wrote a paycheck to the nonexistent ghost, but thanks to the company’s direct payroll deposit policy, the money actually went straight to her bank account. The bank evidently never noticed the discrepancy. During a surprise audit of the payroll account, the controller mysteriously left town. It didn’t take the auditors long to figure out why when they matched the direct deposits and uncovered the scheme, which had cost the nonprofit $208,000 over three years.
An employee makes false entries on a cash register to conceal the fraudulent removal of currency. Example: A crafty service station attendant discovered a flaw in the cash register system; it could put a sale on hold until the transaction was completed. Simply depressing the “hold” button for a few extra seconds made the transaction disappear altogether. So when a customer bought gasoline, the clerk would erase the sale and pocket the proceeds. Company auditors finally noticed a large disparity when they compared fuel inventory to sales. After exhausting all other possibilities (including leaks in the fuel storage tanks), they installed surveillance cameras over the cash registers and caught the fraudster on tape. This simple scheme cost the company $132,000.
How Do You Detect Fraud?
The average scheme goes on for 18 months prior to detection. By a wide margin, the most common means of detection was through a tip from an employee, customer or anonymous source. These individuals are often best positioned to witness violations, questionable ethical standards or other indicators. In studies, organizations that did not have reporting mechanisms suffered median losses that were more than twice as high as organizations with them. The conclusion? Hotlines work! All organizations — small, large and privately held — should have a fraud hotline. To be successful, a hotline should be maintained by a third party so that employees who wish to remain anonymous can do so.
Best Practices for Preventing Fraud
Let Them Know Someone is Watching
Detecting fraud is important. Of course, preventing the fraud before it ever happens is more appealing. There is no guaranteed way to prevent all fraud, but you can certainly create a culture that is hostile to fraud. The key is to start thinking like a thief. What potential fraudsters are most concerned about is getting caught. Those who perceivethey will be caught engaging in fraud are less likely to commit it. And note that it is the perception—not necessarily the reality—that modifies the criminal’s behavior. It’s the same method used by police departments to control street crime. The authorities usually increase police visibility in crime-prone neighborhoods. Officers’ mere presence—a proactive deterrent—is the most effective way to discourage offenders.
One of the easiest, virtually cost-free methods of letting employees know that you’re watching is put a good fraud policy in place. Every organization should have one. A fraud policy has two roles: to clearly communicate the organization’s policies against improper conduct to all employees, and to minimize its exposure to litigation. Some things that should be clearly noted in any fraud policy are:
- Illegal activities such as theft of assets and kickbacks are strictly forbidden Employees who suspect or know of wrongdoing are required to notify management or the owner or report the wrongdoing through the fraud hotline
- All suspected frauds will be fully investigated regardless of the employee’s position or length of service
- Committing fraud will result in termination of employment
- The company will fully cooperate with law enforcement and support prosecution.
If you’ll leave your contact information with me, I have a sample policy…
Preventing Fraud: Establish Internal Controls
Small businesses need to look at how they’re operating—their basic internal policies and procedures— and take measures to decrease their vulnerability to fraud. Many controls are fairly easy to implement and cost next to nothing. Some would even say you have a moral obligation to have controls in place, that it’s unfair to put an employee in a position where it is easy for him or her to steal. People are people, and by not having controls, you’re basically putting up a sign that reads: “Steal from me. I’ll never know.” If you don’t have temptations to begin with, you avoid a lot of problems. It can be simple things. Let me give you a few examples:
- Segregate cash related functions. First and foremost, every business should segregate its cash-related functions (e.g., receiving and disbursing funds, signing checks, reconciling accounts); a single employee should never be given responsibility for all such functions.
- Implement active oversight.The company’s principals need to learn about schemes, too, to be involved in fraud prevention in their companies. Above all, the owner should receive an unopened bank statement so he or she can review it for suspicious transactions. Moreover, the principals need to ensure they understand the entity’s revenue and expense streams so they will be able to notice unusual trends.
- Restrict access. You must protect the accounts payable and procurement functions by restricting access to the master file records of your vendors. Changing or adding new vendors should require supervisory approval and supporting documentation, because otherwise any employee can set up a company name and have the company start billing and getting paid. Similar precautions should be put in place in payroll. If you want to guard against payments to ghost employees as well as improper changes to pay rates, you also have to restrict access to personnel master file records.
- Check your checking. One-third of the small business cases involved a billing scheme, and one-third involved check tampering—two forms of fraudulent disbursements that typically succeed when there is a lack of control over the company checkbook. This suggests that if there is one critical area where small businesses should focus their antifraud efforts and resources, it is in establishing solid controls—including a strong separation of duties—over the check-cutting and payables functions. Reviewing canceled checks is especially important in small businesses, where there are few checks and balances. Business owners should always open bank statements first and review all canceled checks. You also need to protect check stock under lock and key as we discussed earlier. And you can implement other simple changes such as having two employees open the mail and requiring employees to stamp “for deposit only” on all incoming checks.
- Review hiring policies. Review your hiring policies to keep people with dubious backgrounds out of your company. That means getting back to common business practices and good sense. Check references—with a phone call, don’t just look at pieces of paper. When you’re filling a position in a particularly sensitive area, think about hiring an outside firm to tackle a complete background check that includes running a credit bureau report on that employee.
- Get an outside perspective. Businesses should have a financial professional conduct an annual review of cash accounts and bank statements.
There’s bad news and there’s good news. Small businesses are disproportionately affected by occupational fraud. Fewer employees can mean less segregation of duties, fewer basic accounting controls, and a greater level of trust between owners and co-workers. That’s the bad news. The good news is that we have the tools to prevent fraud—certainly not 100% of the time, but in most cases—and they’re not overly cumbersome to implement. For those of you who like things wrapped up nice and neat, here, in a nutshell, are the top 10 things you can do to prevent or detect fraud.
Top Ten Ways Small Business Owners Can Prevent or Detect Fraud
- Give employees a way to report fraud.
- Have a written code of ethics.
- Segregate duties.
- Set a good example.
- Have reasonable expectations and treat employees well.
- Restrict bank account access.
- Perform regular bank reconciliations.
- Adequately secure inventory and supplies.
- Adequately prescreen employee applicants.
- Hire an outside financial professional to examine the books.