Monitor, Verify and Verify Again
Over the past decade or so, well-publicized scandals involving Enron, Parmalat, Royal Ahold, WorldCom and other companies have prompted corporate officials, lawmakers and regulators to insist on beefing up internal auditing controls and risk-management operations.
Asset Misappropriation in Canada
|Ninety per cent of occupational fraud cases in Canada involve asset misappropriations, according to a study by the Association of Certified Fraud Examiners.
Those misappropriations had a median loss of $200,000; 38.9 per cent had a corruption component with a median loss of $250,000; 11.1 per cent involved fraudulent financial statement schemes with a median loss of $1,075,000.
Cash is by far the most frequently misappropriated asset, accounting for 86.4 per cent with a median loss of $198,500. That loss is nearly double the non-cash losses, which totaled a median $100,000.
This finding is most likely explained by the liquid nature of cash as opposed to inventory, equipment and other non-cash assets, according to the study, entitled Detecting Occupational Fraud in Canada.
And yet, fraud still occurs at companies, despite spending multi-millions of dollars on software and hiring multitudes of risk monitors, auditors and compliance personnel. While you may not want to budget large sums on risk-management, there are some fundamental tools that should never be ignored by any business of any size in any industry. At the top of the list is the most critical canon of forensic accounting:
Every employee must take some annual leave. While employees are on holiday, a co-worker should cover for them. This is a simple step, but it has uncovered many sophisticated frauds and embezzlements.
Employees who process transactions should be taken off their desks at intervals, so that any existing chain of successive falsifications can be discovered and broken. Refusing vacation time is one of a series of behaviours that should be considered suspicious if they arise in conjunction with fiduciary abnormalities. Watch for sudden changes in lifestyle, or buying a larger home, a more expensive car or costly clothing.
Here are five other steps to take to help ensure your business is protected from employee fraud:
1. Update and modify controls: Successful businesses grow and expand, and in the process their internal controls can become outdated or overworked. Be sure to review your company’s controls on a regular basis to help ensure that they are still adequate.
2. Set up checks and balances: Your company doesn’t have to be a world-class financial institution to have complex transactions that can involve several reports rather than a single document accounting for all aspects of the deal. Be certain that your company enforces disciplined reporting of facts and information and reviews them from all angles. Make sure all relevant parties — traders, accountants, risk managers and the people who run the business — regularly and rigorously review everything. And, perhaps most importantly, check reports randomly rather than on a regular schedule.
3. Vigilantly monitor internal controls: Part of monitoring controls should involve periodic testing to see how easily your company’s systems and procedures can be penetrated. And when designing security systems, always assume that every user has the potential to be a criminal. A trusted insider who learns the inner workings of the company network, security specialists warn, can do some of the worst damage.
4. Frequently review passwords: Make staff aware of the importance of keeping passwords confidential and secure. Limit employee access to information, and require use of passwords that are not easily guessed. Some forensic specialists recommend changing passwords at least every 30 days. Regularly audit systems that don’t require passwords.
5. Trust no one: While you don’t want to run your business like a prison, never assume that because an employee is performing “junior” work that there is no chance for fraud. When you are confronted with questions about any employee’s suspicious behaviour, take action immediately and double check what you discover. Verify everything. People tend to ignore suspicious activity, rationalize decisions to not take action, or misguidedly think that no single individual is in a position to create any damage.
Like Taking Milk from a Baby
Cash skimming is one of the most common and easiest types of occupational fraud, regardless of an organization’s size. Fortunately, there are relatively uncomplicated ways to fight it.
|Look for These Red Flags|
|Regardless who skims money, the effect on your enterprise remains the same: Revenue is lower than it should be while the costs of producing it remain the same.
There are warning signs that indicate the possibility of fraud at your organization. Here is a checklist of tell-tale signs. They don’t necessarily indicate fraud, but the more red flags the greater the likelihood skimming is occurring at your business:
1. Declining or flat revenue.
2. Increasing cost of sales.
3. Increasing or excessive inventory shrinkage.
4. Narrowing ratio of cash sales to credit card sales.
5. Shrinking ratio of cash sales to total sales.
6. Increasing ratio of gross sales to net sales.
7. Discrepancies between customer receipt and company receipt.
8. Customer complaints and inquiries.
9. Forged, missing or altered refund documents.
The term comes from the fact that money is taken off the top, the way cream is skimmed from milk. The reasons cash skimming can be so easy — and tempting — is that the money is often stolen before it’s ever recorded. That means there’s no need to alter accounting records or convert stolen goods into cash. There are many variations on the skimming theme, and two of the most common are:
1. Unrecorded sales: A salesperson sells goods or services to a customer and collects the payment, but doesn’t ring up the transaction. This is sometimes accomplished by opening the business on weekends or after hours and pocketing all or most of the cash receipts.
Here’s another example that doesn’t involves sales: An apartment house manager collects rents in cash for an apartment that is shown as being vacant.
2. Understated sales: An employee records a sale for less than the actual price and pockets the difference. In another version, the employee records a discount that the customer never receives and pockets the amount of the discount.
But skimming can also target refunds and accounts receivable. Those variations, however, require some alterations to books and records to avoid detection. For example, in receivables skimming, the thefts are often those that are simply unrecorded on the books. When funds are diverted from accounts receivable, the amount owed can be reduced on the books by write-off schemes.
Since any employee who comes in contact with cash can skim money, the usual suspects are salespeople, cashiers, mail clerks, and bookkeepers. But keep in mind that senior executives can easily override controls and skim cash. When senior management is involved the losses are usually much larger.
The key to preventing this type of fraud is to set up controls. How you go about doing that depends on the number of employees and the complexity of your enterprise’s accounting system.
Even a very small business can have effective internal controls that may consist simply of the owner carefully paying attention to a few cheques and keeping tight controls over employee access to cash and other assets. In any case, employees who handle cash should be bonded.
At the top of the list of effective ways to battle skimming is to segregate employees’ responsibilities. This means being sure that:
These controls can be put into effect with as few as three people. If you are the owner and the bookkeeper, only two people are needed to put these controls into effect.
Talk to a professional about other types of fraud and how to protect your company’s bottom line from less-than-honest employees.
Like Taking Milk from a Baby
Anticipate Problems With Careful Planning
The outsourcing of business processes has helped numerous companies improve their financial performance, as well as increase customer satisfaction. In extreme circumstances, outsourcing can literally ensure a company’s survival.
However, it can involve a number of risks. In order to determine if outsourcing makes sense for your organization, consider taking the following steps:
1. Identify and document your expectations regarding an outsourcing relationship. For example, by what amount would you like to reduce operating costs? Do outside providers have the expertise or skills that your company does not possess in-house? Is outsourcing consistent with your company’s business model and overall strategy?
2. Prepare a detailed inventory of the processes and procedures that you plan to outsource. While gathering the information, you may identify inefficiencies that need to be addressed before the processes can be outsourced. Alternatively, you may decide that inefficient or ineffective processes would be better outsourced, knowing that they will need to be refined by the provider. In any event, being aware of what you plan to outsource, as well as the state of those processes, is key to a successful outsourcing.
3. Prepare a detailed request for proposal (RFP) that identifies all requirements that need to be met by the provider. This can also serve as the reporting framework once a provider is engaged. In addition to preparing an RFP to be circulated to potential providers, consider documenting the attributes that a “perfect” provider would possess. The profile should include the location, industry experience, type of customers served, level of employee skills and the technology employed.
4. Once a short list of providers has been identified, request references from customers that have worked with the providers for one, three, five and if possible, 10 years. Immediate cost savings from an outsourcing relationship can be straightforward to capture. However, maintaining and improving on those savings over time is considerably harder. Talking with companies that have experience working with the providers can help your company gauge an outsourcing company’s ability to deliver sustained improvements
5. Ensure that the contract with the provider contains sufficient flexibility to respond to changes in the economic environment. Also, incorporate incentives for the provider to improve performance over time. By offering incentives in the contract, you can dramatically increase the chances the provider will meet the expectations. Just as importantly, incentives should reward a balanced approach. For example, invoice processing time should not be rewarded at the expense of accuracy.
6. Establish a cross-divisional team to consider the risks that can result from engaging an outsourcing firm. Your company’s team could include representatives from operations, legal, accounting, finance, human resources, security, fraud and corporate communications etc. The type of risks that can result from an outsourcing relationship include fraud by the provider’s staff members, interruption in service due to terrorist activity, political instability and corruption in the location, and backlash if jobs are transferred overseas. Depending on the size of the proposed outsourcing relationship, sub-teams may need to be created to address specific issues, for example, the impact of outsourcing on employee morale.
7. Find out what tax implications are involved in the relationship. This could involve the rules for independent contractors, if outsourcing locally, or the tax laws of another country, if you are shipping work overseas. Your tax adviser can help ensure your company is in compliance with applicable laws.
8. Determine the infrastructure needed to support the provider once the outsourcing relationship commences. For example, do you need to assign company personnel to work on-site at the provider’s offices? If not, how often do company personnel need to visit the provider’s operations? How much will it cost to send staff to the provider’s location?
Outsourcing can provide considerable savings. But as you can see, it is not without risk. The steps noted above can help your company navigate the process and deliver sustainable long term savings that directly improve the bottom line.
Mention hosting data remotely to most people, and you will hear expressions of various concerns, such as:
Add the U.S. Patriot Act to the mix and the reactions and anxiety are likely to become even stronger. Many companies and individuals fear that the American law gives the U.S. federal government sweeping powers to look at any data at any time for any reason. Before making a decision to embrace a cloud computing solution that involves hosting data in the U.S., you should separate myth from reality.
First, it is critical to be aware that today’s information technologies make it easy for organizations and individuals to exchange information quickly around the globe. This transborder data flow is becoming increasingly popular as both companies and governments take advantage of outsourcing.
In today’s global economy, suppliers can be located anywhere. Even if a domestic supplier is chosen, it may have offices located in other countries. When a supplier is hired to administer personal information and any parts of its operations, including subcontractors, are outside of Australia, the laws of the other countries may be applicable to information stored or electronically accessible in the foreign country. If a company located in the United States or with U.S. connections is hired, then the U.S. Patriot Act may be applicable.
That legislation primarily extended to anti-terrorism the provisions that originally were used simply to deal with typical criminal investigations. The law permits U.S. law enforcement officials to seek a court order giving them access to the records of a company or individual, sometimes without the suspect’s knowledge. Any organization with a presence in the U.S. or controlled by a U.S. business may be subject to these court orders and compelled to comply with the warrant.
In some circumstances, the law may have made it easier for the U.S. government to gain access to personal data. It did not, however, “fundamentally alter the right of the government to that data in those circumstances,” according to an article written by Jeff Bullwinkel, Associate General Counsel and Director of Legal & Corporate Affairs, Microsoft Australia. In other words, the U.S. government has long had the ability to seek access to personal information in pursuit of legal investigations.
How does the U.S. Patriot Act affect American government access to information that is stored outside of the U.S.? If the data is under the control of a U.S.-headquartered company, the government can use the law just as if the information were stored inside the U.S. If the company is not an American company the U.S. Patriot Act does not apply, although there still are ways the U.S. can gain access to the information it is seeking.
The U.S. has long had many cross-jurisdictional agreements that allow law-enforcement agencies in one country to gain access to data stored in another country. Government agencies in every country at some time have legitimate needs to access information to enforce their nation’s laws. Increasingly, that information is stored in foreign jurisdictions. While different laws and international agreements help facilitate access to this data, both domestic and some foreign laws maintain strong protections.
Deciding where to store your data has become increasingly complex as the options have expanded from storing data on a computer you or your business directly controls to sending the information into the cloud and storing it on some server remotely located anywhere on the globe. Wherever you decide to store information, be certain that appropriate measures are in place to protect that data from unauthorised access.
Take the time to become informed about the pros and cons of the many places and methods available for storing data. Consult with your advisers to learn how various laws may or may not protect your information and then make an informed decision that is within your comfort zone.
Just as soldiers and government employees can electronically download and distribute secret and confidential information, so can employees who have access to electronic data, in any workplace.
Today’s digital storage of information and electronic communication simply makes it easier and faster to disclose substantially more. Some individuals who transfer confidential, private and secret information for worldwide dissemination may be motivated by noble intentions. They believe in the best interest of everyone by blowing the whistle on a company. But the greater risk for private companies comes from disgruntled employees and those about to be fired.
Many of these employees are disengaged from their jobs. Think of them as the employees who are present in the workplace, but absent from their work. Employee disengagement is a major risk for theft and distribution of unauthorized data — especially among IT employees. The more access an employee has to information at your company, the greater the risk.
There is no absolute 100% secure way to prevent all possible breaches of, theft of, and accidentally unauthorized distribution of private, secret, personal, and confidential information. However, there are many steps that businesses and organizations can take to defend against leaking and other types of data theft and unauthorized information distribution.
Here are ten steps to secure private, personal, confidential and valuable data:
1. Establish and nurture a culture of trust and fairness among employees.
2. Develop hiring procedures that:
3. Tighten internal electronic data access control. Information should be provided to employees only on the basis of need.
4. Destroy, on a regular maintenance schedule, older stored data that is no longer deemed necessary. Consult with your attorney and your accountant to develop guidelines and a schedule so that deletions conform to legal and accounting requirements.
5. Monitor employees’ electronic activity and investigate abnormal behavior. Look for access during non-work hours, large downloads and employees who obtain information that may not be required.
6. Proactively track who is accessing what information on the network. Compare the activity to what individuals should be accessing. Many organizations also scan outgoing and incoming e-mail. Audit the information employees are accessing remotely and the data being turned over to outsiders, third-party individuals, companies and contractors.
7. Overlap the responsibilities of multiple employees, who work with (or have access to) sensitive data, so they can observe each others activities. This would be similar to having two or more employees overlapping in dealing with financial recordkeeping to decrease the opportunities for embezzlement.
Having multiple employees overlapping duties is a must for any organization committed to data security. No one person in the IT team should have sole responsibility for a given system, platform or application. This requires cross-training of individuals and ensuring that the individuals regularly rotate responsibilities.
8. Adopt written policies and procedures about use of, and access to, your electronic and digital equipment and systems. The policies and procedures need to deal with what is allowed, what is prohibited, and the consequences if an employee misuses or wrongfully distributes information, records, and documents. Distribute the policies and procedures to all employees and obtain their signatures verifying they received, read, and understand the policies.
9. State clearly in the policies that former employees will no longer have access to private, sensitive, and confidential information. This especially means that former employees are not given access to employer-issued or employer-owned computers, laptops, other data-bearing devices, or paper documents.
10. Communicate regularly, at least once a year, these policies and procedures to all employees.