One of the primary functions of management is to understand what is actually going on in an organization, as opposed to what is supposed to be happening. However, for monitoring to be truly effective, there must first be good communication, a culture that promotes ethical behavior and a solid understanding of the particular organization’s risk factors.

“Organizational monitoring is not just about protecting a company from fraud,” says James P. Martin, CMA, CIA, CFE, managing director at Cendrowski Corporate Advisors LLC. “Monitoring systems can help ensure quality, that customer needs are being met and that the company is doing everything else that is necessary to achieve its goals.”

Smart Business spoke with Martin about how management can understand what is truly going on within the business.

What are the steps to an effective organizational monitoring plan?

First, the company must clearly define its goals. What is it trying to accomplish and how will it accomplish those goals? Second, what risks does it face? What can get in the way of the company accomplishing those goals? Third, what type of early warning system does the company need? How will it know if and when a risk has occurred or if someone has not performed as expected?

What impacts are electronic monitoring systems having?

Electronic monitoring systems have been around awhile but are drawing increased attention now with more severe penalties and potential outcomes for violations under Sarbanes-Oxley. Electronic monitoring systems are similar to a car’s dashboard. When trigger points, predefined events or hurdles are detected, ‘warning lights’ appear on the manager’s desktop.

While electronic monitoring is useful, it cannot — and should not — replace human involvement. The most important thing managers can do is be involved with operations on a day-to-day basis by walking around and talking with employees, holding regular meetings, receiving regular reports and phone calls, etc.

How are trigger points identified?

An organizational assessment of risk will help management identify areas that have more robust monitoring needs. Examples might include finance, everything related to potential issues arising with cash, or vendor management, such as notification every time a vendor’s address changes. Triggers also can monitor quality metrics, supply chain issues, personnel issues, etc. The system should be proactive so that management can address issues before they get out of control, preventing a crisis management situation.

It’s important to note that a monitoring system is more holistic than the definition of trigger points. The single biggest factor is people — what they will do in a given situation. The overall culture needs good communication systems and a clear understanding of management expectations.

Monitoring techniques need to continuously adapt to consider potential changes in behavior. There are a lot of examples of companies that had defined monitoring procedures, but creative people were able to identify and exploit areas that were not considered in those procedures.

How do private equity firms monitor the activities of the companies they invest in?

Private equity firms have to monitor the operations of the portfolio companies, not to the extent of detail that internal management does, but they do need to define risk. These companies have expectations, and if they identify certain events on the horizon, they can be prepared to take certain actions. Like the companies they monitor, private equity firms also must define their own particular trigger points.

Any tips for improving a system?

Make sure you’re monitoring the right areas. There may be areas you’ve historically monitored that have now changed, which is where the internal audit function comes in. The board’s audit committee must understand what is critical for the upcoming year. In examining the ‘audit universe’ — the model that defines every auditable event within the organization — areas of risk are identified, and then prioritized for audit. It's management’s responsibility to determine how many resources to invest in each given area of risk.

James P. Martin, CMA, CIA, CFE is managing director at Cendrowski Corporate Advisors LLC. Reach him at (866) 717-1607 or jpm@cendsel.com.

Insights Accounting is brought to you by Cendrowski Corporate Advisors LLC

Published in Chicago

Many companies undertake an acquisition using only a financial due diligence process. However, for a greater chance of detecting potential misrepresentations, companies need to incorporate forensic investigative tools into their standard due diligence process.

“Forensic techniques will help point out and isolate areas of potential fraud as well as any irregular or suspicious activity,” says Michael Maloziec, an accountant at Cendrowski Corporate Advisors LLC.

Forensic analysis during the due diligence process can uncover accounting improprieties that could overinflate the value of a target company. Performing these two services together will give increased assurance that projected performance is achievable, Maloziec says.

“Adding in forensic analysis is a crucial step toward assuring your acquisition is successful. It can allow you to see past ‘closed doors’ into areas you might not think to look,” he says.

Smart Business spoke with Maloziec about forensic techniques and their benefits during the acquisition process.

How large of a role can fraud play?

It’s huge. The Association of Certified Fraud Examiners Report to the Nations found a typical organization loses some 5 percent of its revenue to fraud each year. Even though that does not sound like a significant number, when applied to the Gross World Product, this figure translates to a potential projected annual fraud loss of more than $3.5 trillion.

What are some caveats to keep in mind?

Companies will always showcase their business in the best possible light. Managers will ‘polish the apple’ so to speak. Bear in mind the sales numbers might be misstated, which can overinflate the value of the company. Also, companies will not disclose everything, so it is important to proceed forensically during your due diligence process. Always be aware of potential manipulation in reserves and estimates. Reserves are one of the most common areas for fraud to occur because it is under management’s discretion. These caveats will help you recognize and point out areas that raise red flags.

How can you protect yourself from fraud?

One method is to look behind the numbers. You should always carry a certain sense of forensic skepticism and never make assumptions during any part of the due diligence process. Be sure to ask questions that will dig into transaction details and note any instances that provoke uncertainty. Don’t forget about applying simple common sense. Ask yourself, ‘Do the numbers flow with the current business plan that is set in place? Do management’s representations make sense?’ You can also utilize a number of analytical tools to spot any anomalies.

What analytical tests should be performed?

A great way to start would be to forensically analyze the financial statements over the past few years. During analytical testing, it is important to review current and past events in order to isolate anomalies from known events. You can utilize a variety of different ratio analyses, which can be an excellent tool in detecting red flags. Ratio analysis measures the relationship between various financial statement amounts and tracks how past numbers are trending with current results. To gain some perspective, compare company financial information to similar industries that hold the same standards, such as size, geography or sector. There are also numerous computer software programs that will assist in narrowing the scope and provide the capability of recognizing potential fraud.

How should a company approach this issue?

Start by assessing the business processes. Processes provide guidance to employees and assure accurate reporting. Acquirers need to review and understand the capacity and capability of their target organization. As part of the due diligence process, the acquirer should examine the current processes and identify any weakness or holes that could allow for erroneous or unauthorized transactions. A great method to gain insight would be to perform an internal risk assessment, which can help identify industry risks that might not be so obvious. This allows managers to zero in on areas that might be susceptible to potential fraud before they become a problem.

Michael Maloziec  is an accountant at Cendrowski Corporate Advisors LLC. Reach him at (866) 717-1607 or mjm@cendsel.com.

Insights Accounting is brought to you by Cendrowski Corporate Advisors LLC

Published in Chicago

When times are tough, the temptation for employees to dupe the system and steal cash or assets increases. The economy is a key driver in fraud activity, and over the last several years, organizations of all sizes have been victimized.

So is the fraud environment improving now that there’s news of an uptick in the economy? Not yet, says Jason Buhlinger, a supervisor in financial advisory services at Brown Smith Wallace LLC, St. Louis, Mo.

“While there may be signs of the economy getting a little better, people still feel uncertain — and as long as that feeling is in the back of their minds, there is motivation and a rationalization to steal,” Buhlinger says.

Companies are running leaner, which means there is less management oversight at some firms, and others have eliminated internal audit personnel. One person may be doing the job of two or more employees, so the work force is spread thin. And that may mean that no one is watching should an employee decide to commit fraud.

“Imposing internal controls becomes harder to accomplish with less staff,” Buhlinger says.

Now is not the time to let your guard down as a business owner.

“The longer the economy trickles along, we’ll continue to see people who are looking for easy ways to get cash,” Buhlinger says.

Smart Business spoke with Buhlinger about the types of fraud being committed and how to establish strong internal controls to protect your business.

What specific economic factors drive individuals to commit fraud?

The recession began in December 2007, and at one point, the Dow Jones Industrial Average was down as much as 50 percent. People had to become more frugal. Those who planned on retiring early had to re-examine that goal as they watched their investment savings dwindle. And home prices dropped significantly in some areas of the country.

All of a sudden, the asset values that many people counted on were gone and they had to figure out a way to supplement that. This is where the fraud triangle comes into play — opportunity, rationalization and pressure. All three of these stress points have increased in the past several years, and this continues to be the case.

As long as people feel a sense of economic uncertainty, that can evolve into rationalization and pressure to find more money somehow. When the opportunity to commit fraud presents itself, rather than taking the higher moral road, as they might in better times, they justify the act and take that opportunity. Your organization can’t realistically eliminate all rationalizations and pressures, but it can manage the opportunity side of the triangle.

What types of fraud are most common today?

Asset misappropriation remains the most common type of fraud. That includes, but isn’t limited to, cash theft, payroll schemes and inventory theft, to name a few. A worker might file false expense reports and pocket the cash, or take product from a warehouse and sell it for a profit.

Stealing from cash registers $20 at a time can go unnoticed if proper controls aren’t in place. Asset misappropriation tends to involve smaller amounts of money, but those dollars add up over time.

What are the components of an effective fraud awareness program?

Organizations need to take a proactive approach to prevent fraud. Owners need to be involved in the financial aspect of the business rather than passing that role off entirely to a manager. For example, we recently handled a fraud case in which a CFO had complete financial control of the company and could take whatever he wanted. If their company had implemented the critical concept of segregation of duties, it would have been more difficult for him to pull off fraud.

Segregation of duties is critical to prevent fraud, and this can be a challenge in small businesses. That’s why owner involvement is critical at every level of a business, from reviewing financial statements to checking in at the cash registers. It also helps if organizations provide a way for employees to anonymously report fraud through a tip line or even a simple suggestion box.

By keeping fraud at the forefront of your business, you will discourage those who are teetering on the edge of committing fraud. And with internal controls in place, you will be more likely to catch fraud early before it causes significant damage to the business.

How can a business be proactive about creating a culture of honesty?

It’s important to create a fraud prevention program and talk about it regularly with employees. Hold quarterly meetings to discuss fraud and internal controls. Let everyone know your organization has a zero tolerance policy. By making employees aware that fraud is on the radar and no one is going to get away with it, you decrease the rationalization and opportunity for fraud to occur.

Begin a fraud prevention program to learn what areas of your business are susceptible to fraud. A risk assessment will help you zero in on entry points for fraud so you can watch those areas carefully.

A certified fraud examiner (CFE) can help you get that fraud policy on paper, and it’s a good idea to incorporate it into your employee handbook. Secure a commitment in writing from every employee that they understand the policy and the ramifications if fraud is committed.

 

Jason Buhlinger, CFE, AVA, is a supervisor in financial advisory services at Brown Smith Wallace, St. Louis, Mo. Reach him at  (314) 983-1310 or jbuhlinger@bswllc.com.

Insights Accounting is brought to you by Brown Smith Wallace LLC

Published in St. Louis

Online banking is convenient, but it’s easy for cybercriminals to gain access to your accounts when you process transactions over the Internet. Organized criminal gangs are using malware and phishing schemes to steal approximately $1 billion from small and mid-sized companies across the United States and Europe each year, and the problem has become so pervasive that a recent theft of $100 million from a business account barely registered on the FBI’s radar.

The good news is that it’s possible to enjoy the convenience of online banking without exposing your company to unnecessary risk by taking advantage of a bank’s products and services and exercising some basic precautions.

“Cybercriminals pose a real and serious threat,” says Barry Langer, first vice president and customer relations manager for Corporate Services at California Bank & Trust. “Executives need to educate themselves and understand the risks, then take some basic steps to safeguard banking transactions.”

Smart Business spoke with Langer about balancing risk and convenience by protecting your bank accounts from the most common forms of fraud.

How are cybercriminals attacking business accounts?

Companies incur risk whether they’re writing checks or processing online payments, but the greatest threat occurs in cyberspace. When an unsuspecting employee opens an authentic-looking email or document from an imposter, wily cybercriminals can steal user names and passwords by downloading malware such as the Zeus virus onto computers. Cybercriminals can also embed viruses in Web sites, innocuous Word documents such as resumes or simulated email alerts from social networking sites such as Facebook. Unfortunately, employees often fail to recognize an attack because the virus is programmed to evade network security, giving fraudsters access to your accounts. Worse yet, anyone can purchase the Zeus Trojan for about $700.

How can companies minimize risk and the possibility of fraud when processing online banking transactions?

Your employees need to serve as the first line of defense, but they need training to recognize cybercriminals’ tricks and tactics and thwart potential attacks. In addition, companies need to notify their bank immediately if they suspect a breech.

Businesses should also:

  • Eliminate outside risk. Don’t rely solely on security software, antivirus programs and firewalls. Protect your system from viruses and malware by stopping employees from downloading documents stored on external flash drives or CDs, or accessing outside email accounts. Better still, keep viruses from invading your network by using a dedicated computer strictly for banking transactions because most viruses are transmitted via email or while surfing the Internet.

  • Reconcile accounts. Nip fraudulent activity in the bud by reconciling your business accounts daily.

  • Take advantage of bank products and services. Your bank can help you prevent fraud by providing education, best practices and tools such as antifraud software.

  • Implement a dual authentication security process. This is another way to prevent online payment fraud, as different people create and approve each transaction. While the duplicate process requires additional time and staff, it reduces the opportunity for someone to initiate or approve fraudulent payments.

How can companies minimize the risk of paper or check fraud?

Unless companies use a fraud prevention service such as Positive Pay, forgers can wash payees’ names from stolen checks and substitute their own, alter the amount or use software to duplicate checks. With the Positive Pay service, companies send a check issue file to their bank and it is matched against checks presented to identify discrepancies or suspect checks.  Checks that do not match the check issue file are presented to the company for examination. While it’s not free, Positive Pay has the ability to lower costs by reducing unauthorized transactions, potential losses and legal fees.

Positive Payee Match provides another layer of security, as your bank also matches the name of the payee against the roster of issued checks. You can also review the front and back of exception items online and quickly make payment/return decisions from the convenience of your office.

If you don’t want to provide a check issue file, you can monitor presented checks online and return them immediately by utilizing an alternate service called Reverse Positive Pay.

How can companies prevent ACH fraud?

Savvy companies are reducing risk without sacrificing convenience through a service called ACH Positive Pay, which enables you to view and make decisions to accept or reject ACH items before they post to your account. If reviewing every transaction is too time consuming, simply create a filter and review and approve transactions above a specified dollar limit.

How can executives spearhead fraud prevention efforts?

Executives must set the tone by acknowledging the seriousness of the threat and prioritizing risk mitigation over convenience when processing banking transactions. Small to mid-sized businesses are particularly vulnerable to cyber attacks, so executives at those companies should utilize the risk assessment tools and best practices provided by your bank. Remember, an ounce of prevention is worth a pound of cure because a single attack can easily cost your business hundreds of thousands of dollars.

Barry Langer is first vice president and customer relations manager for Corporate Services at California Bank & Trust. Reach him at (213) 593-3838 or Barry.Langer@calbt.com.

Insights Banking & Finance is brought to you by California Bank & Trust

Published in Los Angeles

You may think that your employees would never steal from you, but how well do you really know and trust the people who work for you? One-third of all employees steal from their employers, and it is estimated that the average loss for an act of employee fraud is in excess of $175,000, says Andrew Rowles, client adviser at SeibertKeck Insurance Agency.

“Even the best internal controls can fall short of preventing an employee from committing a dishonest act if he or she is determined to do so,” says Rowles.

Employee crime and theft have dramatically reshaped business in corporate America.  For example, on Sept. 9, 2011, Carla Jean Johnson was sentenced to 120 months in federal prison for her conviction of wire fraud that cost her employer $977,418. Columbia Lloyds Insurance Co. paid the company’s claim to cover the controller’s embezzlement.

Smart Business spoke with Rowles about why it’s worth investing $5,000 in premiums to protect your assets and ensure that employee fraud doesn’t put you out of business.

What constitutes employee theft, and what company assets are most at risk?

Employee theft can be classified into two major categories: theft of property and misappropriation of funds. Theft of property can include office supplies, inventory, work in process or scrap that belongs to the company. Misappropriation of funds can include the use of accounting records to disguise or redirect accounts receivable, misuse of credit cards, payroll fraud, outside businesses paying kickbacks or other unauthorized transactions.

What protections do general insurance policies offer companies against employee theft?

A standard ISO property policy will pay for a nonemployee stealing from your organization, but what if it is internal? A majority of today’s insurance carriers offer a crime policy to cover business assets that are stolen by an employee.

When purchasing a policy, keep in mind how the policy defines an employee and who is excluded from coverage. Crime causes a greater amount of commercial property losses than any other type of property losses. Current estimates are as high as $50 million annually in the United States for employee dishonesty losses alone. Employee dishonesty is just one of many types of commercial crime exposures that you should consider.The fundamental Crime Insurance parts are:

  • Employee theft
  • Forgery or alteration
  • Inside the premises — theft of money and securities; robbery or safe burglary
  • Outside the premises — messenger
  • Computer fraud and funds transfer
  • Money orders and counterfeit paper currency

What types of policies protect employers specifically against employee theft, and how do they differ from general policies?

Commercial crime insurance coverage can be written as a part of your commercial package insurance policy or as a separate standalone policy. The advantage of a stand-alone is that you can customize forms and coverage to meet your business’ specific needs and may be an option if the commercial package insurance company is not in a position to offer you the amount of crime insurance that you need.

There are two policy forms used by carriers to offer employee theft coverage.  Selecting the correct form is important and the forms differ in the premium charged for coverage.

  • Discovery form. The discovery form covers losses that are identified, or discovered, during the policy period, even if the loss happened some time before.
  • Loss sustained form. The loss sustained form will cover only losses that occur during the policy period and up to 12 months after the policy expires. Keep in mind that employee theft can take time to discover. This form could expose you to the risk of financial loss spread over multiple years.

What types of fraud can occur with employee pension or 401(k) plans, and how can they be prevented?

In 1974, the Employee Retirement Incomes Security Act (ERISA) established insurance guidelines to protect the assets of any employer-sponsored pension, profit sharing, or employee welfare plan. ERISA requires that 10 percent of any benefit plan assets be covered by insurance to protect the plan(s) from employee dishonesty. Coverage protects the participants and beneficiaries from dishonest fiduciaries who handle the plan assets.

There are two ways to provide such coverage, either by endorsing the crime policy or purchasing a separate bond through your insurance company. Keep in mind that it is important to regularly review your plan and review the information provided by your administrator.

What procedures can an employer implement to reduce the risk of employee theft?

In a slow economy, businesses have experienced stalled growth, reduced revenue, liquidity concerns and implementing procedures to reduce theft becomes a higher priority as a loss becomes more certain. A business owner should look into implementing loss control procedures to protect the company’s assets. Here are a few examples:

  • Isolate duties — splitting the job of taking money in and sending it out for deposit. Books kept by one person should be reconciled by another.
  • Require countersignatures on all checks.
  • Perform background checks.
  • Establish a code of conduct.
  • Implement whistleblower and hotline programs.

Nearly every business needs to consider purchasing a commercial crime insurance policy, although determining as to what limit can be difficult. Companies should consider the financial impact of an employee theft claim and discuss this with their accountant, attorney and insurance agent.

Andrew Rowles is a client adviser at SeibertKeck Insurance Agency. Reach him at (330) 867-3140 or arowles@seibertkeck.com.

Insights Business Insurance is brought to you by SeibertKeck Insurance Agency

Published in Akron/Canton

You may think that your employees would never steal from you, but how well do you really know and trust the people who work for you? One-third of all employees steal from their employers, and it is estimated that the average loss for an act of employee fraud is in excess of $175,000, says Marc McTeague, president of Best Hoovler McTeague Insurance Services, a member of the SeibertKeck Group.

“Even the best internal controls can fall short of preventing an employee from committing a dishonest act if he or she is determined to do so,” says McTeague.

Employee crime and theft have dramatically reshaped business in corporate America.  For example, on Sept. 9, 2011, Carla Jean Johnson was sentenced to 120 months in federal prison for her conviction of wire fraud that cost her employer $977,418. Columbia Lloyds Insurance Co. paid the company’s claim to cover the controller’s embezzlement.

Smart Business spoke with McTeague about why it’s worth investing $5,000 in premiums to protect your assets and ensure employee fraud doesn’t put you out of business.

What constitutes employee theft, and what company assets are most at risk?

Employee theft can be classified into two major categories: theft of property and misappropriation of funds. Theft of property can include office supplies, inventory, work in process or scrap that belongs to the company. Misappropriation of funds can include the use of accounting records to disguise or redirect accounts receivable, misuse of credit cards, payroll fraud, outside businesses paying kickbacks or other unauthorized transactions.

What protections do general insurance policies offer companies against employee theft?

A standard ISO property policy will pay for a nonemployee stealing from your organization, but what if it is internal? A majority of today’s insurance carriers offer a crime policy to cover business assets that are stolen by an employee.  When purchasing a policy, keep in mind how the policy defines an employee and who is excluded from coverage. Crime causes a greater amount of commercial property losses than any other type of property losses. Current estimates are as high as $50 million annually in the United States for employee dishonesty losses alone. Employee dishonesty is just one of many types of commercial crime exposures that you should consider.The fundamental Crime Insurance parts are:

  • Employee theft
  • Forgery or alteration
  • Inside the premises — theft of money and securities; robbery or safe burglary
  • Outside the premises — messenger
  • Computer fraud and funds transfer
  • Money orders and counterfeit paper currency

What types of policies protect employers specifically against employee theft, and how do they differ from general policies?

Commercial crime insurance coverage can be written as a part of your commercial package insurance policy or as a separate standalone policy. The advantage of a stand-alone is that you can customize forms and coverage to meet your business’ specific needs and may be an option if the commercial package insurance company is not in a position to offer you the amount of crime insurance that you need.

There are two policy forms used by carriers to offer employee theft coverage.  Selecting the correct form is important and the forms differ in the premium charged for coverage.

  • Discovery form. The discovery form covers losses that are identified, or discovered, during the policy period, even if the loss happened some time before.
  • Loss sustained form. The loss sustained form will cover only losses that occur during the policy period and up to 12 months after the policy expires. Keep in mind that employee theft can take time to discover. This form could expose you to the risk of financial loss spread over multiple years.

What types of fraud can occur with employee pension or 401(k) plans, and how can they be prevented?

In 1974, the Employee Retirement Incomes Security Act (ERISA) established insurance guidelines to protect the assets of any employer-sponsored pension, profit sharing, or employee welfare plan. ERISA requires that 10 percent of any benefit plan assets be covered by insurance to protect the plan(s) from employee dishonesty. Coverage protects the participants and beneficiaries from dishonest fiduciaries who handle the plan assets.

There are two ways to provide such coverage, either by endorsing the crime policy or purchasing a separate bond through your insurance company. Keep in mind that it is important to regularly review your plan and review the information provided by your administrator.

What procedures can an employer implement to reduce the risk of employee theft?

In a slow economy, businesses have experienced stalled growth, reduced revenue, liquidity concerns and implementing procedures to reduce theft becomes a higher priority as a loss becomes more certain. A business owner should look into implementing loss control procedures to protect the company’s assets. Here are a few examples:

  • Isolate duties — split the job of taking money in and sending it out for deposit. Books kept by one person should be reconciled by another.
  • Require countersignatures on all checks.
  • Perform background checks.
  • Establish a code of conduct.
  • Implement whistleblower programs.

Nearly every business needs to consider purchasing a commercial crime insurance policy, although determining as to what limit can be difficult. Companies should consider the financial impact of an employee theft claim and discuss this with their accountant, attorney and insurance agent.

Marc McTeague is president of Best Hoovler McTeague Insurance Services, a member of the SeibertKeck Group. Reach him at (614) 246-RISK or mmcteague@bhmins.com.

Insights Business Insurance is brought to you by SeibertKeck Insurance Agency

Published in Columbus
Saturday, 30 June 2012 21:00

The impact of fraud on organizations

The Association of Certified Fraud Examiners’ (ACFE) “2012 Report to the Nation” is one study that describes the losses that an entity may experience as a result of fraud: A typical organization loses approximately 5 percent of its annual revenue to fraudulent acts.

Small businesses often suffer disproportionate fraud losses, as the “median loss suffered by organizations with fewer than 100 employees was $190,000 per [fraud] scheme, says James P. Martin, managing director for Cendrowski Corporate Advisors LLC.

“In today’s environment, companies of all sizes need to consider the risk of fraud and take proactive measures to help mitigate the risks that they face,” says Martin.

Smart Business spoke with Martin about how a to take proactive measures to protect a business and help it fight fraud.

What can companies do to help mitigate the risk of fraud?

Fraud is not a random occurrence; it happens in situations in which conditions are right for it to happen. Identifying the root causes of fraud and removing the potential for fraud is called fraud deterrence.’

There are procedures can be applied in any organization to help alleviate the growing threat of fraud.

What is fraud deterrence?

The term ‘fraud deterrence’ refers to a systematic approach to identifying and removing the causal factors of fraud; it is not simply a plan focused on earlier fraud detection. Fraud deterrence is based on the premise that fraud occurs when the conditions are right for it to occur, more specifically, in situations in which there is motive, opportunity and rationalization for a fraudulent act.

These three elements, comprising the ‘Fraud Triangle,’ are the focus of fraud deterrence, as the removal of any one of these element will reduce the opportunity for fraud to occur. In this manner, fraud deterrence centers on the premise that the causal factors of fraud can be recognized and proactively reduced in an organization.

 

How do the causal factors of fraud work?

It is through the implementation of strong internal controls that elements of the fraud triangle — the causal factors of fraud — are reduced. To illustrate the deterrence actions, consider a familiar example relating to fire deterrence and response:

Fire extinguisher = remediation

  • The fire has already happened.
  • Minimize the damage by quickly controlling the fire.
  • The longer the response time, the greater the damage that will occur.

Smoke detector = earlier detection

  • Earlier detection, before fumes can even be smelled.
  • Detects nothing until the event actually happens.
  • By the time the detector is activated, there has been a fire.

Removal of causal factors = deterrence

  • Removal of flammable materials
  • Removal of sources of ignition (e.g. not allowing smoking, flammables away from a flame source such as a water heater)
  • Increasing awareness of risk of fire (e.g. Smokey the Bear)

Deterrence of the fire event, just as in the case of fraud, is effected by the removal of causal factors without waiting for a warning sign that something has gone wrong. Of the three elements of the fraud triangle, ‘opportunity’ can be most directly addressed by the organization through improvements in the internal control structure.

What improvements can help eliminate opportunity?

First and foremost, make sure that cash is well controlled, and that starts with the bank account. The bank reconciliation should be performed by a person not involved with collections or disbursements.  The bank statement should always go to a person not involved with any of those functions; in the case of a small business, the statement should go to the owner.

The statement should be reviewed for unexpected activity, including looking at the payee of each check, before a copy is provided to the person doing the reconciliation. Likewise, cash collections and deposits should be independently counted and verified. Basic diligence of cash can prevent many fraud schemes.

Would the deterrence activities also identify the need for further investigation?

Yes, fraud deterrence initiatives frequently move to detection activities: Fraud deterrence identifies an opportunity that could allow a fraud to occur; detection activities are performed to determine if anyone has exploited that opportunity.

Fortunately, fraud deterrence, and the resulting understanding of the opportunity for fraud, provides a clear roadmap for where such detection activities should be applied. Clearly, an organization that has instituted fraud deterrence activities has a greater defense against fraud than one that has not actively identified and eliminated the opportunity for fraud in its organization.

James P. Martin, CMA, CIA, CFE, is managing director for Cendrowski Corporate Advisors LLC. Reach him at (866) 717-1607 or jpm@cendsel.com.

Insights Accounting is brought to you by Cendrowski Corporate Advisors LLC

Published in Chicago

Savvy business owners know the value of internal controls and the critical importance of reviewing those controls on a regular basis. Effective internal control systems must be adapted to changes in business practices and the global economy. So how do today’s top businesses keep up?

Smart Business spoke with industry expert Ernie Rossi on the prevention and detection of internal fraud. For almost 20 years, Rossi has educated clients on maintaining effective internal controls. As an audit partner at Sensiba San Filippo LLP, Rossi teaches clients best practices for establishing internal controls and keeping them in step with the times.

What kinds of businesses need to protect against fraud?

No company is 100 percent immune to fraud. However, certain types of companies are at greater risk. Small companies tend to have limited resources, meaning they have employees who perform multiple duties. This is a problem because small businesses cannot easily separate what a good internal control structure would call ‘conflicting tasks.’ Properly separating tasks forces perpetrators of fraud to conspire in order to steal, and collusion is more difficult than acting alone.

Larger businesses may be more capable of separating tasks, simply due to having more staff, but over time, they can experience increasing risk of fraud if they become lax in pinpointing loopholes in their systems. Given time, people find weaknesses in the system, and can exploit these.

One common denominator among companies is that few believe they are susceptible to internal fraud. But statistics in this area are clear — most often, fraud is perpetrated by a long-term employee or friend. It is best to have well designed and implemented internal controls that reduce, as much as possible, the opportunities to commit fraud in the first place.

Under what conditions does internal fraud occur?

Internal fraud can be compared to a ‘perfect storm’ in which a motivated perpetrator meets poorly designed or poorly implemented internal controls and little or no monitoring of those controls. It is generally a rationalization on the employee’s part that they are entitled to the fraud. For example, the perpetrator might say, ‘The owner makes way too much money,’ or, ‘I work really hard, and the business doesn’t properly reward me for my efforts.’

You can distinguish between businesses that have poorly designed internal controls and those whose controls are poorly monitored. Internal controls may be in place, but sometimes the business’s culture evolves to a point where controls are allowed to be ignored. One common example: An increasingly busy workplace where checks are signed without thorough review of supporting invoices.

How can companies prevent internal fraud?

Companies that are led by a management team who sets the ‘tone at the top,’ by modeling the greatest degree of integrity, may be at less risk for internal fraud.  Business owners who play fast and loose with tax laws and company assets can expect employees to feel comfortable doing the same. While some business owners recognize the risk of fraud, they are often unsure about the steps required to prevent it. Companies should start small. The first step is to leverage a third party to review the business and uncover potential problems through an assessment of internal controls. This will help identify the areas of biggest risk — the low-hanging fruit.

The second step is to implement controls, such as separation of duties of employees, to shore up vulnerabilities uncovered in the assessment. Next, periodic reviews by internal managers and external assessors will help to keep controls from slipping out of practice.

It’s also important to educate employees about the purpose of the controls. Increased awareness, along with the knowledge that internal controls are a priority, will serve as a strong deterrent. Communicate that internal controls will ultimately protect employees if and when a fraud is committed by allowing them to quickly be eliminated from suspicion.

Financial audits can be helpful, but audits alone cannot replace internal controls or a thorough risk assessment. Audits only test a sample out of thousands of transactions, which are selected at random. So, the audit may catch an error, but it is no guarantee that the error is going to be a result of the fraud.

What qualifies an individual or a firm to assess risk?

Consider hiring a CPA with audit experience. They need not specialize in fraud, but they should be someone with lengthy experience in public accounting. Generally, CPAs with significant public accounting experience are well suited to evaluate controls that currently exist and assist in developing additional or more effective controls.

Basic assessments can be conducted over a few days or weeks, depending on the size of the business and amount of time needed to document the business’s day-to-day practices. The assessment does not need to be done all at once. The business owner should meet with the selected professionals, perform a general assessment, and then design a plan over time to develop and implement a comprehensive internal control system. After controls are implemented, periodic maintenance should be performed. Over time, even good controls will become less effective. Eventually people find their way around the controls, especially if they know they are not monitored regularly.

How does a service provider help clients protect themselves against fraud?

Any service provider should talk with clients about controls frequently, and not just during an annual audit or financial statement preparation. In every meeting, they should listen for key phrases or changes to the business. For example, the phrase, ‘We’re having cash flow problems,’ may indicate a control issue.

In order to truly reduce the likelihood of fraud, education and communication should be top priorities on both sides of the table.

Ernie Rossi is an audit partner at Sensiba San Filippo LLP, a regional CPA firm based in the San Francisco Bay area. He may be reached at (925) 271-8700 or erossi@ssfllp.com.

Insights Accounting is brought to you by Sensiba San Filippo

Published in Northern California

According to the Association of Certified Fraud Examiners, a typical organization loses roughly 5 percent of its annual revenue to fraud. When applied to the Gross World Product, this figure translates into approximately $3 trillion in fraud losses each year.

Though the economy appears to be on the mend, fraudulent activity remains prevalent in today’s business environment. When a fraud is suspected, a company or its counsel may retain a forensic accountant to investigate the matter.

“Forensic accounting is an important branch of accounting, and perhaps one of the most opaque,” says Walter McGrail, CPA, senior manager of Cendrowski Corporate Advisors. “It is a crucial tool in the investigation of white collar crime.”

Smart Business spoke with McGrail about fraud, forensic accounting and the tools used by forensic accountants in their work.

What is a forensic accountant and how is that person involved in fraud investigations

A forensic accountant is an individual who combines expertise in accounting, auditing, finance and investigations to assist legal professionals. Forensic accountants are typically engaged as expert witnesses, or they employ investigative skills that may require courtroom testimony; these individuals serve at the intersection of business and law.

Fraud investigations, including activities centered on obtaining evidence, performing interviews, writing reports and testifying in a case of fraud, are generally performed by forensic accountants looking to reconstruct historical events leading to the event. Historical event reconstruction is often critical for the accountant to understand the motive for perpetrating a fraud, the opportunity that allowed the fraud to occur in the organization and the rationalization employed by the fraud perpetrator in performing a fraudulent act.

These three elements comprise what forensic accountants call the ‘fraud triangle,’ and each element must be present in order for a fraud to occur.

Where might a forensic accountant begin his or her fraud investigation?

One of the first steps involved in a forensic investigation is to conduct a background investigation on the key players believed to be involved in the fraud. Knowing as much as one can about the individual or individuals in question sets a good foundation for future work that will be conducted in piecing together historical events.

Background checks will reveal if an individual has a history of criminal or civil litigation, as well as whether or not he or she is under financial duress or other pressures. These pressures may provide the rationalization needed for a fraud to occur. Background checks might also shine light on the motives for an individual to perpetrate a fraud.

Can a forensic accountant discern information from tax filings and documents?

Tax matters can become a basis for leads and disclosures on any forensic accounting engagement, and tax professionals are a vital part of any forensic accounting team.

Tax filings and documents are often a great source of information in the conduct of a forensic accounting engagement. These reporting devices are oftentimes generated by third parties. Information included on Forms W-2, 1099, 1098, etc., is typically prepared by third parties and reported directly to the taxing authorities, as well as to taxpayers.

Tax reporting may reflect financial information that is not otherwise made readily available by the target of a forensic examination. Taxpayers that otherwise keep information close to the vest often feel compelled to make accurate filings with tax authorities to avoid running afoul of tax laws. It’s one thing to treat financial information as proprietary and restrict its disclosure to third parties; it’s another thing altogether to misrepresent tax matters to federal, state, or local tax authorities.

Taxpayers also often use professionals to assist with their tax reporting compliance. While tax professionals may serve as advocates for their clients, rarely will independent accountants risk becoming complicit with inaccurate reportings.

How might a forensic accountant use tax returns to deduce information?

Tax filings can often be compared one to another in order to identify forensic financial information. Comparing business returns such as Schedules K-1 to US 1040s and federal returns to state returns and business returns (US 1065 or US 1120S) to business general ledgers often results in financial revelations not otherwise readily available to the forensic accountant. Moreover, there may be tax benefits motivating persons to make full disclosures to taxing authorities. For example, tax refund claims generated by losses or credits which can result in immediate cash flow generally require a fair amount of supporting disclosure and documentation.

By utilizing a forensic accountant, an organization can not only determine how and why a fraud occurred but can use the information gathered in a courtroom against the perpetrator.

Walt McGrail, CPA, is senior manager of Cendrowski Corporate Advisors. Reach him at (866) 717-1607 or wmm@cendsel.com.

Published in Chicago

In today’s economy, companies should be doing everything they can to prevent or eliminate temptation on behalf of their employees. Many employees are truly struggling financially and putting food on the table is a basic need for all of them. Where will the money come from? Many will look to the most ready source of cash: their employer.

“Knowing what might provoke an employee, even an otherwise lawful, ‘good’ person, to blur the line between legal and illegal activity is the key to fighting fraud effectively,” says Randy Cochran, a director with Crowe Horwath LLP.

Smart Business spoke to Cochran about how businesses leaders can effectively limit any perceived or real opportunity for employees to commit fraud within their organization.

What drives employees to commit fraud?

Famed criminologist Donald R. Cressey first identified three elements — opportunity (including general knowledge and technical skill), pressure and rationalization — as the ‘fraud triangle’ to explain why people committed fraud. Cressey’s classic fraud triangle helps to explain many, but not all, situations.

Fraud is more likely to occur when someone has an incentive (pressure, like medical bills) to commit fraud, weak controls provide the opportunity for a person to do so, and the person is able to rationalize the fraudulent behavior.

Today’s fraudster is more independent-minded and armed with more information and access to corporate assets than was the perpetrator of Cressey’s era.

More technology, matrix organizations, performance-based pay and a corporate culture that celebrates wealth and fame have led to greater autonomy and authority to effect change across the organization. These differences support the need to expand the fraud triangle to a five-sided fraud pentagon, where an employee’s competence, or power to perform, and arrogance, or lack of conscience, are factored into the conditions generally present when fraud occurs.

How can a business address these driving factors?

With the changes to organizations listed above and employees’ increasing responsibilities in their respective roles, competence and arrogance are at an all-time high. Pressure is being generated both inside and outside the company at an ever-increasing rate. But of the five elements of fraud, the company has the greatest influence and control over opportunity. In fact, the company is almost entirely in control of the opportunity side of the triangle.

Opportunity for fraud to take place is marked on one end by controls — physical, logical, automated, manual, visual, etc. — and on the other end by management review, monitoring and reporting. Somewhere in the middle is separation of duties, reconciliations, internal audits, external audits, and all other means of checking the numbers on a regular, periodic and sometimes on a surprise basis. All of these control measures fall within the purview and responsibility of the company.

What common mistakes do businesses make when attempting to prevent fraud?

So let’s say all of the controls above are in place. The company contributes further to opportunity when the controls are not effectively implemented, executed and monitored. This is where most companies fall woefully short.

Controls that were effective for the way the company operated five years ago often become ‘false’ indicators of control due to system, process, procedural and organizational changes, and diversification of responsibility.

Many companies are doing such a poor job of managing opportunity that they unknowingly cause or contribute to many otherwise good people ‘going bad’ on the job. You need look no further than the Association of Certified Fraud Examiners (ACFE) 2010 Report to the Nation to see that this issue is supported by data from more than 1,800 actual cases of fraud. In the 2010 report, ACFE reported that ‘lack of controls, absence of management review, and override of existing controls were the three most commonly cited factors that allowed fraud schemes to succeed.’

What steps should companies take to limit the ‘opportunity’ for fraud to take place?

Companies should start with an enterprise-wide risk assessment.

Start with a control review. While the company may have wonderful controls in place, it may not be controlling its biggest, most common, or most obvious risks, or those unique to its business and/or industry.

In performing a risk assessment, there is a need for a common language or nomenclature, a process to identify and rate the risks, and the ability to determine mitigation strategies for the company’s chosen level of risk (risk profile). Management will want to invest the time necessary for thorough discussion of the risks and the rating, because this will drive the mitigation effort and investment.

With the risk assessment complete, compare the current controls in place to the risks that require mitigation and see where you stand. Obvious gaps will show up, which will require modification and/or redesign of your control environment, including new and specific control techniques.

Last, for companies of all sizes above 25 employees, implement a process by which employees, vendors and customers can access and report suspicious activity via a tip line. It may sound overly simple, but ACFE reports that occupational frauds are detected by tips more than any other means, including management review, internal audit and review of documentation. The tip line, and the awareness of its existence and use, is the primary way to limit the perception of opportunity in companies big and small.

Randy Cochran, CFE, is a director with Crowe Horwath LLP in the Dallas office. Reach him at randy.cochran@crowehorwath.com or (214) 574-1018.

Published in Dallas
Page 1 of 2