More than an estimated $4.7 trillion is lost annually to occupational fraud worldwide, according to an Association of Certified Fraud Examiners (ACFE) report. Corporate CPAs, like it
or not, are on the front lines in the fraud battles our companies constantly face, and we must constantly look for potential red flags. Unfortunately, it only seems to be getting harder.
With today’s widely distributed –
and many times leaner – workforce, internal controls and supervision may have become unexpectedly loosened. Staffing changes, process changes, internal control changes, and the shift to remote work all could play a role in potential internal
Bill Payment Scams
It can be easy to fall into the trap of routinely paying any bill that comes through the door, especially if it is accompanied by an invoice that has the sheen of legitimacy. The habit of pushing payments through, with little to no verification, becomes
even easier when you are in a secondary approval role. But that approval process was created with a purpose, not just as a way to create more paperwork. Stop and think. This invoice is for $10,000, but should it have only been $1,000? Are we receiving
too many invoices from this vendor?
Our firm, Boyer & Ritter, had a case where a company outsourced its property maintenance, so routine invoicing didn’t raise any eyebrows. Then someone looked closer. They found an employee
was submitting extra bills and pocketing the cash.
Segregation of Duties
Never leave an employee isolated or 100% in control of payroll records and bank accounts. Studies show that about 70% of check fraud occurs at companies with fewer than 100 employees, and small businesses sustain the highest median losses.
Always have a second set of eyes keeping track of finances, and the person tasked with the review needs to be at least one level up. If the controller has a lot of responsibility, then the CFO should review regularly.
someone in authority routinely download the check register or generate a report with vendor names, invoice numbers, and check amounts? A lot of fraud and embezzlement is unsophisticated, so implementing even basic safeguards can go a long way to curbing
With all the workplace changes employers experienced during (and after) the COVID-19 crisis, it is a good bet that many procedures have changed, even if the documentation hasn’t. It may seem like a lot of effort, but updating and enforcing your
workplace policies will save plenty of grief, and money, down the road. Setting clear policies also establishes a corporate culture of accountability.
When reviewing written procedures, make sure you do the following:
- Identify gaps or areas where oversight is lacking.
- Allow for cross-training of employees.
- Establish precise work-from-home policies.
- Ensure all policies make sense in the current work environment.
As the written protocols are updated, look for potential risks and ways to mitigate them. How does your organization assess risk? How are identified risks addressed? If you’re not sure, that’s a sign that a more formal risk assessment is needed.
System and Organization Controls (SOC) audits help companies spot issues with their policies and procedures and shore up any weak points.
Are the policies and procedures for handling data and financial transactions followed? Are they
sufficient? Are there adequate safeguards against internal and external fraud? Is the software used suitable and accurate?
A SOC audit answers these questions and more. SOC audits show that an organization is serious about protecting
information and, just as important, help companies improve internal controls.
Employee fraud is more than a growing headache for employers: it is a problem that can cripple a business or organization if not caught quickly. Corporate CPAs must always look a little closer to provide our companies with the protection they need.
Scott A. Koman, CPA, CFE, MAFF, and Mark W. Banks, CPA, CFE, MAFF, are managers with Boyer & Ritter LLC in Camp Hill. Both are members of the advisory services team. Koman can be reached at firstname.lastname@example.org and Banks can be reached at email@example.com.