A company's greatest asset -- its employees -- can also be its biggest threat. The typical organization loses 5% of its annual revenue to fraud, according to the 2010 report from the Association of Certified Fraud Examiners (ACFE). But many losses could be prevented with basic controls. No matter how large the corporation, deterrence can have a significant impact.
Unfortunately, too few are proactive. Nearly two-thirds (65%) of executives surveyed by KPMG in 2009 reported that fraud and misconduct is a significant risk for their industry. And almost three-fourths (74%) believed that misappropriation of assets, fraudulent financial reporting and other criminal behaviors would increase over the following 12 months. Despite their certainty that criminal conduct would increase, two-thirds still reported that inadequate internal controls or compliance programs at their organizations enable fraud and misconduct to go unchecked.
Fraud runs the gamut from physical thefts to phony billing schemes, bogus vendors and forgery. But no matter the method, most major embezzlers (86%) act alone, according to the 2010 Marquet Report on Embezzlement. And most embezzlers (63%) hold bookkeeping, finance or accounting positions, with managers (15%) and executives (14%) being the next likely culprits.
One recent scheme that made headlines as "the ultimate inside job," according to federal prosecutors, involved former Citigroup employee Gary Foster, who allegedly wired more than $19 million over time from his employer to his own personal account.
Fortunately, there are controls that companies can put in place to limit losses and make the detection of crimes like this more likely. Here are six.
1. Institute Key Basic Policies
Bank accounts should be reconciled at least monthly, although more frequent reconciliation is also recommended. The reconciliation should include a review of the cancelled checks for incorrect payees, amounts and endorsements. Having bank statements delivered, unopened, to the owner is one easy control for small businesses.
Assign different financial transactions to separate employees. For example, the employee responsible for reconciling bank accounts should not also make deposits, withdrawals or sign checks. Requiring multiple signatures on checks or a voucher system requiring multiple levels of approval in order to issue a check are also effective controls.
Maintain a list of approved vendors and ensure that the individual who can choose or authorize a vendor cannot also authorize payments from that vendor. Similarly, an individual not responsible for making purchasing decisions should do verification of the receipt of goods and services.
Ongoing, high-level fraud risk assessment is essential. It should involve the audit committee, management and possibly a certified fraud examiner. Create "ownership" of fraud risk by assigning a senior manager and communicating to business unit managers that they are responsible for managing fraud risk in their areas.
2. Police Payroll Records
Payroll is a key fraud area. Ensure that the individual responsible for adding employees to the payroll system cannot also authorize payments to those employees or distribute paychecks. Also, verify that terminated employees are removed from the system rather than simply changing their status. A dishonest payroll clerk, if given the opportunity, could change the status to "active" before a check run, then back to "inactive" afterwards.
Controls should also be established at the department level, with managers regularly reviewing their employee list. Across the organization, budgeted payroll expenses should be compared to actual payroll expenses.
Review payroll records for duplicate Social Security numbers and addresses, and look for employees without typical deductions such as health insurance, taxes and 401k contributions. These could be ghost employees. Finally, compare employee addresses with vendor addresses to identify potential conflicts of interest.
3. Create a Perception of Detection
Employee education, especially anti-fraud training, can let them know the organization takes fraud seriously. "The fraud-educated workforce is the fraud examiner's best weapon -- by far," said Joseph Wells, founder of the ACFE.
Auditors should openly discuss fraud during audits. Asking for suggestions and reviewing control effectiveness with employees will let them subtly know that auditors are watching, without making them paranoid. Conducting surprise audits instead of scheduled audits is also effective.
Make reporting easy with an anonymous hotline and swiftly investigate allegations to prevent small frauds from mushrooming. One company includes its hotline phone number, along with an estimate of how much fraud costs the organization, on the back of every employee's ID card. Employees are unlikely to report fraud from the office or job site so ensure that the hotline is easily accessible after hours.
4. Mandate Vacations
The fraudster is often the one who works late, shows up early and never takes vacation. It takes a lot of effort to cover up deceit. One company knew it had an issue when, over a weekend, one of its accountants broke several bones in a skiing accident but made it to work at 9 a.m. the following Monday.
Many frauds are uncovered as a result of the perpetrator taking a vacation, using sick time or rotating jobs. Because of this, many major banks require that certain employees take two-week vacations. Enforcing these types of policies can deter the fraudster and uncover any ongoing frauds before they escalate.
5. Promote Ethical Behavior
Provide a code of conduct to employees at all levels. Make them sign it annually. It should include information about how to report suspicious behavior.
Whistleblower awards are part of the new Dodd-Frank act encouraging employees to report fraudulent activity directly to the SEC. Some companies even offer comparable awards to whistleblowing employees. Gone should be the days when whistleblowers are retaliated against or terminated.
6. Insurance is Critical Protection
Policies may cover loss of money, property or securities; computer and funds transfer frauds; vendor theft; telephone fraud; software licensing violation fines and penalties; forgery; counterfeit currency; theft of clients' property; and expenses incurred to determine the existence and amount of the loss.
Look for a policy with worldwide coverage and an expansive view of who is considered an employee. It must include temporary and leased workers. It definitely must provide for directors, trustees and officers. And don't forget volunteers and interns.
With controls and an insurance policy for any fraud that slips through the cracks, risk managers can be confident that criminal actions will be deterred, detected and reimbursed.
Doug Karpp, certified fraud examiner, is vice president at Hiscox Specialty.Risk Management Magazine and Risk Management Monitor. Copyright 2013 Risk and Insurance Management Society, Inc. All rights reserved.