Monitor, Verify and Verify Again
Over the past decade or so, well-publicized scandals involving Enron, Parmalat, Royal Ahold, WorldCom and other companies have prompted corporate officials, lawmakers and regulators to insist on beefing up internal auditing controls and risk-management operations.
Asset Misappropriation in Canada
|Ninety per cent of occupational fraud cases in Canada involve asset misappropriations, according to a study by the Association of Certified Fraud Examiners.
Those misappropriations had a median loss of $200,000; 38.9 per cent had a corruption component with a median loss of $250,000; 11.1 per cent involved fraudulent financial statement schemes with a median loss of $1,075,000.
Cash is by far the most frequently misappropriated asset, accounting for 86.4 per cent with a median loss of $198,500. That loss is nearly double the non-cash losses, which totaled a median $100,000.
This finding is most likely explained by the liquid nature of cash as opposed to inventory, equipment and other non-cash assets, according to the study, entitled Detecting Occupational Fraud in Canada.
And yet, fraud still occurs at companies, despite spending multi-millions of dollars on software and hiring multitudes of risk monitors, auditors and compliance personnel. While you may not want to budget large sums on risk-management, there are some fundamental tools that should never be ignored by any business of any size in any industry. At the top of the list is the most critical canon of forensic accounting:
Every employee must take some annual leave. While employees are on holiday, a co-worker should cover for them. This is a simple step, but it has uncovered many sophisticated frauds and embezzlements.
Employees who process transactions should be taken off their desks at intervals, so that any existing chain of successive falsifications can be discovered and broken. Refusing vacation time is one of a series of behaviours that should be considered suspicious if they arise in conjunction with fiduciary abnormalities. Watch for sudden changes in lifestyle, or buying a larger home, a more expensive car or costly clothing.
Here are five other steps to take to help ensure your business is protected from employee fraud:
1. Update and modify controls: Successful businesses grow and expand, and in the process their internal controls can become outdated or overworked. Be sure to review your company’s controls on a regular basis to help ensure that they are still adequate.
2. Set up checks and balances: Your company doesn’t have to be a world-class financial institution to have complex transactions that can involve several reports rather than a single document accounting for all aspects of the deal. Be certain that your company enforces disciplined reporting of facts and information and reviews them from all angles. Make sure all relevant parties — traders, accountants, risk managers and the people who run the business — regularly and rigorously review everything. And, perhaps most importantly, check reports randomly rather than on a regular schedule.
3. Vigilantly monitor internal controls: Part of monitoring controls should involve periodic testing to see how easily your company’s systems and procedures can be penetrated. And when designing security systems, always assume that every user has the potential to be a criminal. A trusted insider who learns the inner workings of the company network, security specialists warn, can do some of the worst damage.
4. Frequently review passwords: Make staff aware of the importance of keeping passwords confidential and secure. Limit employee access to information, and require use of passwords that are not easily guessed. Some forensic specialists recommend changing passwords at least every 30 days. Regularly audit systems that don’t require passwords.
5. Trust no one: While you don’t want to run your business like a prison, never assume that because an employee is performing “junior” work that there is no chance for fraud. When you are confronted with questions about any employee’s suspicious behaviour, take action immediately and double check what you discover. Verify everything. People tend to ignore suspicious activity, rationalize decisions to not take action, or misguidedly think that no single individual is in a position to create any damage.