Small businesses are more vulnerable to fraud attacks than most larger organizations. Attacks and scams typically come from three specific sources: employees and other internal-access threats, outside invasions, collusion between the internal and the external. This blog focuses on the internal threats.
By Paul W. Pocalyko, CPA, CFF, CFE
Through much of my career, I have provided consulting services to small business clients. In fact, I obtained an MBA that was in part funded by a grant program sponsored by the Small Business Administration. And as a forensic accountant, I know that small businesses are more vulnerable to fraud attacks than most larger organizations. Those attacks and scams typically come in three specific ways:
This blog focuses on the internal threats, with a follow-up blog that identifies external exposures.
Many years ago I had a nonprofit client that printed educational materials as part of its mission. Most of this was done as black and white photocopies on standard paper, folded in half, with a color paper cover and stapled in the middle. We traced a $3,000 annual budget deficit to a 600,000-page discrepancy (photocopiers have counters). The print shop manager was in collusion with the paper supplier. The inventory fraud had cost the nonprofit more than $10,000. Simply checking the counters in the copiers and comparing them to purchase volumes could have avoided the loss.
Credit cards held in the company name or held by people in senior positions are often used to make a variety of purchases for small-business owners. It is common for a few trusted employees to have that information to aide with ordering office supplies, paying vendors, or fueling company vehicles. Too often, employees take liberties and use these cards for personal items, clearly violating company policies. They add to the supply order, fill their own car with gas, or buy friends a nice lunch on a Friday. As time progresses and the small infractions go unnoticed, the employee gets bolder – such as buying plane tickets or purchasing tickets to sporting event. These purchases may also go unnoticed if they conform to the general types of expenses the company incurs as part of its normal business activities. Typically these are only uncovered by accident.
I meet many small-business owners in my day-to-day work and community activities. I have heard too many stories about someone in the accounting department who wrote company checks either to pay for personal obligations or as a means to embezzle money. In a recent matter, the perpetrator, a company accounts payable clerk, wrote checks of small amounts to herself, went to the bank and cashed them, and then changed the payee in the accounting data to cover up the theft. The fraud persisted for 10 years, and was only uncovered by a new teller at the bank who got suspicious about the number of checks being cashed. Through these small amounts, the employee had managed to embezzle more than half a million dollars, and there was no insurance coverage. During the investigation, the controller could not understand how this happened. But it happened because simple, existing control points were ignored: no one ever looked at the canceled checks, bank reconciliations were done on a macro level, and no one ever looked at the audit trail in the accounting software.
I was engaged to validate a defalcation in order to aid a small business in its recovery. The company provided business equipment and service for that equipment. Most of the equipment was under lease arrangements. The controller had embezzled money by paying personal credit card bills. The controller opened a credit card account with the same company that the small business used. The controller combined the payments and was able to avoid detection by the business owner. The check was made payable to the same vendor, and the company used the credit card for a large volume and variety of purchases. In this case the owner did review the company credit card statement, but the owner never matched it to the payment amounts when he signed the checks. The scheme went undetected for five years, growing in size every year. The fraud was uncovered when the company bounced checks for other purchases. During the investigation, the owner asked how had the controller hidden the fraud in the company accounting records: “What was the other side of the entry?” The controller had booked manual entries throughout the general ledger accounts to cover the fraud. The owner lamented that he was not diligent in his review of the billings: “I trusted my controller.”
There are no assurances that all internal fraud can be avoided or eliminated. The creativity of fraudsters continues, even in the wake of greater oversight and more modern accounting software and tools. However, by using some basic and fundamental common sense and implementing standard internal controls, small-business owners can avoid many common internal frauds.
My next blog will help you remain vigilant against some active external scams.
Paul W. Pocalyko, CPA, CFF, CFE, is with HKA in Philadelphia. He can be reached at ppocalyko@comcast.net.
Statements of fact and opinion are the authors’ responsibility alone and do not imply an opinion on the part of PICPA officers or members. The information contained in herein does not constitute accounting, legal, or professional advice. For professional advice, please engage or consult a qualified professional.