Technology has opened up doors for a new class of high-tech criminal. Business owners and consumers are bombarded with articles and news reports warning against the dangers of identity theft, computer hacking and other scams that were unheard of 25 years ago.
While it’s important to keep your computer and financial records safe from unknown tech-scam professionals, the criminal your business could fall prey to may be much more familiar. Unfortunately, many of the most common types of fraud cases are internal.
Smart Business spoke to Glenn Lauter and Paul Orsborn of Comerica Bank about what you can do to protect your small business against internal fraud.
How common is internal fraud?
Lauter: Employee-committed acts are the most common and most expensive type of fraud, accounting for more than half of all reported cases. Employees have the easiest access and can sometimes harbor resentment or anger that pushes them to break the law. According to the Association of Certified Fraud Examiners, $652 billion per year is lost to internal fraud. Small businesses are the most vulnerable, accounting for a whopping 80 percent of all internal fraud cases.
What types of internal fraud should I be on the lookout for?
Orsborn: The most common ones are asset misappropriation, corruption and doctoring financial statements, as well as pilfering company cash or resources. Bribery and kickbacks, which involve vendors or others outside the business, are also common.
One thing that is helpful in alerting management to a possible internal theft is a company policy that requires employees to report suspicious activity of another employee. In order to be successful, there must be a secure, anonymous method for the employees to report any such activity.
What preventative measures can I take?
Lauter: Many businesses fall victim to fraud because they trust their employees and think that it can’t happen to them. One of the most effective measures a business owner can have in place to protect his or her business is a solid set of policies and procedures. Employees should be well versed in these policies and know that violations will not be tolerated.
How can I help ensure the people I hire are trustworthy?
Orsborn: Small businesses should take measures to screen potential employees before they entrust them with the company’s confidential information. Inform candidates they are subject to a background check for initial employment and a subsequent check if they move into a new function in a more sensitive area. Permission for credit checks should also be a condition of employment.
Additionally, separation of duties is an effective control a company can put in place to protect itself. For example, inventory warehouses can be full of loopholes that should be watched. It may be as simple as having a different person check out equipment than the one who checks it back in. Make sure that your employees know exactly what their responsibilities are and have been thoroughly trained.
What role can I play in preventing fraud?
Lauter: It is best to be involved in your business and oversee all areas of operation so if something doesn’t look right, it can be addressed right away. For instance, keep control of your bank account. Too often, small businesses tend to give other people control of their accounts and do not monitor the account activity until it is too late. Also, scrutinize checks for your signature and never sign a blank check. Avoid using a signature stamp, as that will limit the potential for someone to forge a company check. Finally, have an outsider review your books monthly, or at least quarterly, with no advanced warning to your employees.
GLENN LAUTER and PAUL ORSBORN are senior vice presidents for Comerica’s Texas Business Banking Division. Comerica Bank is the commercial banking subsidiary of Comerica Incorporated (NYSE: CMA), the largest banking company headquartered in Texas, and strategically aligned by three business segments: The Business Bank, The Retail Bank and Wealth & Institutional Management. Comerica focuses on relationships, and helping people and businesses be successful. In addition to Dallas, Houston and Austin, Texas, Comerica Bank locations can be found in Arizona, California, Florida and Michigan, with select businesses operating in several other states, as well as in Canada and Mexico. Comerica reported total assets of $55.0 billion at March 31, 2011. To receive e-mail alerts of breaking Comerica news, go to www.comerica.com/newsalerts.
Your employees may be using your business’s credit cards to make charges you haven’t authorized. And if you don’t discover it soon after the fact, you may be liable for those charges.
“A court’s rationale is pragmatic and straightforward. If the credit card bank sends you a monthly statement and you send payment in full for all charges, then the bank is entitled to rely on the fact that all of the charges on that statement are authorized and have been approved,” says Joe Hickey, a member at Dykema Gossett PLLC.
Smart Business spoke with Hickey about how to keep from becoming a victim of employee credit card fraud.
How is fraud perpetrated against individuals and businesses?
Unauthorized use is a use that is not authorized by express, apparent or implied authority. If someone uses your card with your express consent you are obviously liable for the charges. But cardholders can be liable for a fraudulent use of their card — one they likely view as unauthorized — when the cardholder’s conduct cloaks the perpetrator with the apparent authority to use the card.
Typically, fraud with a personal card involves a wealthy individual who hires an assistant and gives that person access to all of the security verification information needed to apply for and/or use a card. That person will also review and pay the monthly card statements received from the credit card bank. It’s this combination of complete and unfettered autonomy and access, coupled with the cardholder never reviewing the statements, that creates apparent authority.
Businesses that frequently issue business cards to individual employees in their own names and with their own credit card numbers may have someone in their accounting department who both reviews and pays all business card statements. If that person is dishonest, he or she might fraudulently apply for their own card, with no one the wiser because that same person pays the bills.
How can business owners try to avoid being defrauded?
That is up to the business owner. To ensure the card is not being used fraudulently, a good start is to separate the payment and review functions. The person monitoring incoming statements should be independent of the payment process, and the person making payments should probably not have the ability to incur charges on the card (unless, of course, someone else is auditing).
Courts are likely to hold you liable if you do not separate those functions. While this is undoubtedly a fraudulent use of the card, it will be considered an authorized use because the bank receiving the payments rightfully concludes (based on the actual cardholder’s conduct) that the charges were authorized. Otherwise, why would payments be made?
Why do businesses often overlook fraudulent charges?
Individuals and businesses erroneously believe it is their bank’s duty to monitor their accounts for fraud. That is not true. While credit card banks employ fraud detection technologies, those technologies are designed merely to try to detect fraudulent use of your card before you receive your statement. Banks in no way hold themselves as monitoring your account and being responsible for finding fraud. Frankly, this is an impossible task. The best fraud detection system is personally reviewing the monthly statements.
Businesses might also mistakenly believe that they have procedures in place that would expose fraud, but because the perpetrator employees are also given unfettered access to make payments and withdrawals from bank accounts, as well as having broad access to accounting books and records, they are perfectly situated to manipulate information to hide their fraud. For example, while the ledger may indicate that a check was issued to pay a vendor, it’s possible for a perpetrator to issue a check to pay off the credit card. If you or someone independent does not audit the credit card statements and bank records with the books, it’s likely no one will know for sure if a payment was actually made to the credit card bank rather than the vendor.
In addition, business owners might have an employee create summaries of charges from the credit card statements. The owner reviews this summary prepared by the same person committing the fraud, but never reviews the actual statement. This, too, is not the bank’s fault.
How can a company avoid finding itself in this situation?
Be diligent and employ reasonable audit and cross reference procedures. It’s important to regularly review the statements so you notice charges you didn’t approve. Alternatively, keep the review and payment functions separate. Either way, the quicker you take action to advise the credit card bank the charges are fraudulent, the less likely this use will be viewed as authorized. If, on the other hand, you do not look at statements for months — or even years — it’s possible the courts will show little sympathy if you seek to recoup the money from the credit card bank. While you could always go after the renegade employee, they likely lack the funds to pay you back.
Under the Fair Credit Billing Act, you generally have 60 days to contact the bank and say, ‘This charge isn’t mine.’ If 60 days is the appropriate time for reporting billing errors, it’s also appropriate for reporting fraudulent use of a credit card. After that, the bank has a better argument.
If, despite its best efforts, a company is the victim of credit card fraud, what is the next step?
Contact your credit card bank, report the fraud and ask it to investigate. If the bank concludes that this was your employee and this employee was authorized to use the card via apparent authority, it will likely say you are liable. True, the person forged your signature and the act is fraud; but if you’re not timely in uncovering the fraud, the courts will determine that you let it happen.
Joe Hickey is a member at Dykema Gossett PLLC. Reach him at (248) 203-0555 or email@example.com.
Although business owners often take steps to mitigate potential theft from outsiders, they are often reluctant to address the risk of fraud committed by their own employees.
Although employers inherently trust their employees, the smart business owner should still take steps to reduce the opportunities for fraud to occur, says Clark Keeler, CFE, director, Assurance & Consulting at Burr Pilger Mayer, Inc.
“Fraud risk is always present. If you don’t address that risk, all you can hope for is that you are lucky,” Keeler says. “The average loss in a fraud occurrence is $160,000. That is a lot of expense to leave to luck.”
Smart Business spoke with Keeler about minimizing the risk of occupational fraud.
Why should employers be concerned about the risk of fraud?
Occupational fraud occurs when an employee or vendor finds a way to divert assets from a company by means of deception. The ACFE’s 2010 Report to the Nations estimates that 5 percent of the annual revenues of companies worldwide is lost to fraud, approximately $2.9 trillion! And that estimate cannot factor in the frauds that are never uncovered.
All organizations need to be concerned with fraud, because the risk is always present and because management doesn’t control the factors that can get someone to commit fraud. Management should understand that it takes, on average, 18 months to discover fraud. So, not only are the economic damages enormous, but the fraud can also seriously damage trust within the corporate culture. Employees may no longer feel certain they can trust their peers, and management may no longer feel safe trusting employees. The cultural damage can take a long time to recover from.
How is fraud commonly discovered?
In more than 40 percent of cases, fraud is discovered as the result of a tip from a third party. Although companies tend to rely on their external auditors, statistically external auditors discover less than 5 percent of fraud cases. Management review (16 percent) and internal audits (14 percent) are more effective that external audits.
How can employers prevent fraud?
Fraud can never be completely prevented. Management can be diligent and implement practices that reduce its impact. For fraud to occur there has to be opportunity, a perceived need and the ability to rationalize the behavior. The needs may be real (medical bills for a sick child), or imagined (a desire for a second home), but the rationalization will be made to justify that need. Unfortunately, management can’t control what employees think. However, they can reduce the opportunity to commit fraud by implementing internal controls that make it difficult for a single individual to carry out the fraud. The primary goals of internal controls are to reduce opportunity and to allow timely reaction to the indicators of fraud.
It is also important for management to create and maintain an ethical environment that communicates an ethical tone from the top, and communicates that fraud won’t be tolerated. Communication and trust between management and employees is critical. The implementation of an anonymous reporting hotline that allows employees to report suspected fraud can be very effective.
What other steps can employers take?
Almost all fraud prevention strategies relate to oversight. Where possible, management should try to create a segregation of duties so that no one individual has control over critical information that isn’t reviewed. You don’t want the individual who pays the bills also determining who your company does business with. Have another individual involved in the process wherever possible.
When an employee has no oversight, it doesn’t take that person long to realize it, and the fraud factors — opportunity, need and rationalization — have a chance to fester. Most people are ethical and won’t give in to the temptation that opportunity provides. However, management doesn’t need to take that chance. Take away the opportunity and the perception of need and rationalization may never arise.
In smaller companies, it’s often difficult to create a segregation of duties. However, there are ways to monitor information relating to an individual’s activities. If management can’t review a person’s work while it is happening, they can always monitor the results in a timely fashion after the fact.
How can employees play a role in fraud prevention?
Get employees to feel part of the organization. Employees provide the best fraud protection a company can have. Employee education is the foundation of preventing and detecting fraud. If your employees are aligned with the company’s goals, they will keep one another in line and won’t tolerate misbehavior. They’ll believe misbehavior impacts them. However, if employees don’t feel aligned with management and the business, they may turn a blind eye, or commit fraud themselves.
How can a forensic expert help employers address fraud?
In a preventive situation, a forensic expert will assist management in strengthening and documenting the ethical environment they’ve created, and assist them on how to communicate those beliefs to employees. Simultaneously, the forensic expert will identify and address the weak points in the company’s internal controls so that the opportunities for fraud are minimized.
Once fraud has occurred, there are no positive scenarios. Management has already lost the money, and the chances of recovery are small. Investment in a forensic team to determine how the fraud occurred incurs even more costs. It is always much easier, and far less expensive, to invest in a little protection up front by proactively implementing the preventive fraud practices that reduce the always-present risks of fraud.
Clark Keeler, CFE, is director, Assurance & Consulting at Burr Pilger Mayer. Reach him at (415) 863-3868 or CKeeler@bpmcpa.com.