Anti-Fraud Controls Should Include Accessing the Books
TraceTech Solutions, LLC helps small and mid-size business owners to protect their organizations against the most-common back-office cash frauds. Over the years we’ve developed a small but simple and strategic list of financial controls that we feel all our clients should implement to defend themselves against these schemes.
The list contains well-known controls gathered from and repeated in many sources. It had been static for about a year. But we recently added a new control to the list. One borne from experience.
Here’s how it happened:
Several months ago we were engaged by a professional to do some investigatory work. He suspected that his bookkeeper had been dishonest.
He owned two businesses. His bookkeeper had set up separate QuickBooks files for each. We investigated one of those files. It became clear that over the last several years the bookkeeper had been giving herself “unauthorized raises”. Our client quickly terminated the bookkeeper’s employment.
Since we had only investigated one of the two files, we recommended that our client also look at the other file for suspicious activity.
He called us back a couple of days later with some surprising news.
He couldn’t open the other QuickBooks file. At some point, perhaps even years ago, the bookkeeper had changed the password – without telling him, of course.
It’s now been several months since we ended our investigation. To this day, he has been unable to view the other business’ books.
As a result of that incident we now recommend that our clients and prospective clients personally open each set of electronic books quarterly – just to make certain they can still get in.
It’s a simple control. It requires about one minute of time every quarter. If they find that they can’t open the file they need to remedy the problem asap. Once they open the file they should check the numbers and satisfy themselves that the password change was an innocent oversight on their or the bookkeeper’s part.
a
TraceTech Solutions provides small businesses with unique, low-cost financial books monitoring services. Learn more about TraceTech’s services here: TraceTech Solutions website.
Start from the most-recent blog post here: TraceTech Solutions’ Blog. We publish new articles frequently. If you’d like to receive a new article the instant that it’s published, click on the Subscription link in the upper right part of this page.
Are My Financial Controls Working?
It’s habit. Whenever she exits her apartment, my 88-year-old mother-in-law locks the door then turns the handle to see if the door is indeed locked. She could teach many business executives something about financial controls that probably never occurred to them.
First consider financial controls themselves. Organizations implement financial controls to protect their assets. There are basically two types of financial controls: those that are designed and implemented so that good things happen, and those that are designed and implemented to prevent bad things from happening – or at least detect a bad thing before much damage is done.
All enterprises, even single owner enterprises, have financial controls. The success of those controls depends on many factors including but not limited to the “tone” of the organization, its internal and external financial expertise, the structure of the organization and the skills and personnel that make up the organization.
That being said, no organization I know of has a perfect set of controls. Controls deal with processes and people. As processes, the effectiveness of controls is far more predictable than the people who implement those controls. When the need arises and the opportunity presents itself, even the most trusted employee can be tempted to eliminate their perceived “pain” by circumventing controls and concealing a theft from managers, executives, accountants and auditors.
The one and only way to determine, then, if financial controls are working as intended is to test them. Here’s where my mother-in-law’s behavior comes into play. She not only implements a control (by locking the door) she also tests the control (by making certain that the door is locked).
Unfortunately, testing financial controls is usually more difficult than implementing them. Many key financial controls are transaction-oriented. Testing those controls requires examining a significant number (ideally all) of transactions. Manual procedures cannot possibly look at a large enough sample of transactions to determine if a control is working properly. But technology can examine more transactions in a minute than manual procedures can examine in month. Technology is not a perfect testing solution but it’s more cost-effective than any other. For additional information, just contact us through this website.
a
TraceTech Solutions provides small businesses with unique, low-cost financial books monitoring services. Learn more about TraceTech’s services here: TraceTech Solutions website.
Start from the most-recent blog post here: TraceTech Solutions’ Blog. We publish new articles frequently. If you’d like to receive a new article the instant that it’s published, click on the Subscription link in the upper right part of this page.
Background Checks on Prospective Accounting Employees
Dateline: January 30, 2012
Headline (NY Times): “In Million-Dollar Theft Case, Church Worker With a Secret Past”.
Summary: A 67-year-old accounts payable clerk for the New York archdiocese has been indicted for embezzling $1,000,000 from the church. According to prosecutors and auditors, the embezzling had been going on for seven years. The accused clerk prayed and volunteered often. She had gained the complete trust of the staff. And if the church had done a background check before hiring her in June, 2003, they would have discovered that she had been convicted of grand larceny in one case and had pleaded guilty to a misdemeanor in another.
A background check on an A/P clerk? Yes. Along with background checks for any other position that receives, disburses or manages large sums of the organization’s money. That includes accounts receivable clerks, bookkeepers, controllers and CFOs. Depending on the organization and the responsibilities of the various administrative employees it might also include office managers, secretaries, receptionists and anyone at all who will have access to blank checks, checking accounts, credit cards, payroll and/or significant sums of cash. The blogs on this site detail dozens of frauds perpetrated by employees in these roles.
Background checks aren’t’ perfect. They uncover “problematic” information only if a “problem” has been reported. Many problems are never reported. But the red flags that the checks do turn up can literally save a business.
David Sawyer, President of Safer Places, Inc., in Middleboro, MA (www.saferplacesinc.com), recommends that prior to making an offer to any candidate for these types of positions, prospective employers should at minimum:
- start with a name & address history search so as to know where to look for criminal records and what names to search under (records are not filed by Social Security number)
- search the courts in all jurisdictions where the candidate has resided for the past 10 years (minimum)
- check the candidate’s credit history
- search a national criminal history database and check sex offender registries in all 50 states
Some positions may warrant additional searches. A search specialist like Dave will help hiring executives to understand the types of checks that will make the most sense.
a
TraceTech Solutions provides small businesses with unique, low-cost financial books monitoring services. Learn more about TraceTech’s services here: TraceTech Solutions website.
Start from the most-recent blog post here: TraceTech Solutions’ Blog. We publish new articles frequently. If you’d like to receive a new article the instant that it’s published, click on the Subscription link in the upper right part of this page.
A Tale of “Trust but Verify”
TraceTech Solutions was founded upon the phrase “Trust but Verify”. After six years at an accounting firm it became clear to me that neither owners nor accountants have the time or the tools to verify a business’ books. So it’s never done, a fact that allows bookkeeping errors – both unintentional and intentional – to go unnoticed.
The unintentional errors usually do little harm but they may be an indication that controls should be tightened. The intentional ones…that’s another story.
An attorney first introduced the phrase “Trust but Verify” to me many years ago. It was, he said, the motto of any good attorney. He practiced “Trust but Verify” internally by personally signing every single check issued by his office and personally reconciling every single bank statement.
The attorney called me a few weeks ago. It seems that despite his vigilance his verification efforts weren’t enough. He had discovered that his trusted paralegal, in his employ for eighteen years, had over the past two years circumvented his verification controls and pilfered $20,000 using a check fraud scheme he couldn’t have even imagined.
Hypothetically he inquired whether TraceTech’s methods could have spotted the theft earlier. I had to tell him that the scheme his paralegal used is not unusual…and its’ one that TraceTech always checks for. But that will be the subject of another blog.
Sadly, every “incident” like the one above is the work of a person or persons that the business trusted. That’s a hard fact for any business owner to swallow. “Trust but Verify” is an integral part of any business, though. From reading reports and plans to examining work at a job site, “Trust but Verify” moves organizations forward. TraceTech Solutions has simply applied the concept to an area where Trust has been traditionally been bestowed but Verification has traditionally been difficult to obtain. Times have changed…
a
TraceTech Solutions provides small businesses with unique, low-cost financial books monitoring services. Learn more about TraceTech’s services here: TraceTech Solutions website.
Start from the most-recent blog post here: TraceTech Solutions’ Blog. We publish new articles frequently. If you’d like to receive a new article the instant that it’s published, click on the Subscription link in the upper right part of this page.
Lessons from a Chinese Restaurant
Yesterday my wife and I dined at our favorite Chinese restaurant. We love the establishment. Nearly everything on the menu is cooked in a dish-specific sauce. The food presentation is lovely. The wait staff are pleasant. And once a week the restaurant stocks a dinner buffet that’s to die for. The lines can get a little long but the food is worth the wait. The buffet includes about twenty dishes and although a few dishes appear week after week the rest of the buffet dishes vary from week to week. My wife and I try to get there at least once a month.
And yesterday, for the first time I noticed that the owners had set up a hand-sanitizer dispenser immediately inside the front door. Perhaps the owners placed it there a while ago and I never paid attention to it. But that doesn’t matter. Its presence got me to thinking about being cautious. That’s exactly what the owners were doing: being cautious.
After being seated and having finished a cup of hot and sour soup I approached the buffet and for the first time really “noticed” the clear cough shields just above the food trays. They’ve been there as long as I’ve been going to this restaurant but it was another reminder of the precautions the owners had taken (although in this case the precautions were likely mandated by the board of health).
Then, as I left the buffet area with a plateful of food I grabbed a pair of chopsticks as I always do. And for the first time really “noticed” that Chinese restaurants no longer wash and reuse chopsticks as they do with flatware. Now all chopsticks are individually wrapped, used by one and only one customer and then disposed of. Although this, too, may be mandated it’s just another sign of the precautions taken by restaurants to protect the health and well-being of their clients.
“Caution” is also an important word when dealing with a business’ financials. TraceTech Solutions, LLC was formed to provide business owners with a precautionary option that had never been available. TraceTech provides a second pair of eyes on a business’ books. We leverage the power of IT to look for nearly-inevitable bookkeeping errors and the occasional possibility of theft.
TraceTech doesn’t believe that most bookkeepers intentionally make bookkeeping errors. But the fact is that bookkeeping is a manual, detail-oriented task often performed by multi-tasking administrators. Errors creep into books and sometimes never come out. Errors that can skew financials reports. Errors that can stymie people who try to make sense of the numbers.
And then, occasionally a dishonest bookkeeper will intentionally enter errors. Or enter valid but fraudulent transactions. The results can range from mildly annoying to catastrophic.
Either way, the operative word for owners is “caution”. This blog site has always provided its readers with simple and effective precautionary tools that can reduce the risk of financial theft and reporting error. We encourage our readers to learn from our past blog posts. A little caution can go a long, long way to saving a business.
a
Start from the most-recent blog post here: TraceTech Solutions’ Blog. We publish new articles frequently. If you’d like to receive a new article the instant that it’s published, click on the Subscription link in the upper right part of this page.
TraceTech Solutions provides small businesses with unique, low-cost financial books monitoring services. Learn more about TraceTech’s services here: TraceTech Solutions website.
How Heavy is a Ghost?
Last week a sales executive I know contacted me and asked if might be able to substitute for her at an upcoming networking group meeting.
Networking groups (for those who don’t know about them) are forums for businessmen and businesswomen to get to know each other and exchange ideas and referrals. In one segment of a typical networking group meeting every attendee has the floor for one or two minutes to tell the other group members about the product or service that they provide to their customers and clients.
Anyway, after I told Meaghan that I’d gladly represent her at the meeting she sent me the text of the message that she wanted to pass on to the group. Part of the message was that her employer, Solex Payroll (www.solexpayroll.com), can typically slash a business’ payroll costs by 30%-50%.
Believe it or not, the statement made me jealous – just because it contained a real, honest-to-goodness, verifiable statistic. A statistic that Solex Payroll could back up if asked.
I wish I were that lucky. No one, and I mean NO ONE, has any reliable statistics about workplace fraud.
Not that statisticians haven’t tried. There are, in fact, published statistics about workplace fraud. But all of those statistics are based on reported fraud losses. The “gotcha” is that no one knows the percentage of workplace frauds that aren‘t reported. Worse: investigations that uncover workplace fraud may fail to uncover all the schemes that are being used. And worse still: investigations that do not uncover fraud may miss frauds that are actually there.
So trying to determine the scope of the workplace fraud problem is akin to trying to weigh a ghost. In order to measure something you need to be able to “encapsulate” it. That can’t be done with workplace fraud.
Statistics can send a powerful message, though. So when I address a large group I always have the group generate “local” statistics about workplace fraud. It usually opens a lot of eyes and drops a lot of jaws.
A few months ago, for example, I presented a workplace fraud webinar to B2B CFO, a nationwide organization of part-time CFOs (www.b2bcfo.com). Prior to the webinar I had asked the members about their personal experiences with workplace fraud. I presented the results of this informal survey in the first few webinar slides. Here they are:
- 57% of responders personally knew a business that had been defrauded of over $20,000
- 66% of the known perpetrators were either executives or on the accounting staff
- 61% of the known perpetrators had been with the business for three or more years
- 65% of the responders felt that the losses were either “major” or had seriously impacted the business
As I pointed out the to the attendees, as shocking as the results seem these numbers are typical for groups that I speak to.
So how much does the ghost weigh? Darned if I know. But it’s probably heavier than most business executives believe. And ignoring the ghost can come back and haunt you.
a
The TraceTech Solutions’ blog specializes in articles that discuss actual small-business frauds and what small-business owners can do to prevent them. Start from the most-recent article here: TraceTech Solutions’ Blog. We publish new articles frequently. If you’d like to receive a new article the instant that it’s published, click on the Subscription link in the upper right part of this page.
TraceTech Solutions, LLC provides small businesses with unique low-cost fraud monitoring and detection services. Learn more about TraceTech Solutions’ services here: TraceTech Solutions website.
Signature Service
One of the two signatures of Abrahan Lincoln below is genuine. I penned the other one after about two minutes of practice. I won’t tell you which is which. It doesn’t matter. The point is that it’s simple to forge a signature.
Many business owners believe that since they sign every check (or believe they do) there’s no way that a back-office employee can steal the business’ money.
Sadly, they’re mistaken. Although signing every check is a deterrent, signature-forging is so easy (as evidenced above) that a bookkeeper or an office manager could sign anything in the owner’s name – checks, credit card applications, bank account applications – and most people who examine the signature would be unable to tell that the signature was forged.
Forgery is a common fraud scheme. The amount of money that businesses have lost to forgeries is mind-boggling. Here’s a recent example:
Wisconsin Kitchen Mart’s owner Nancy Rossman recently discovered that over a five-year period her trusted bookkeeper had written and cashed 79 unauthorized checks payable to the bookkeeper’s husband. The bookkeeper simply forged the signatures of Rossman or Rossman’s husband and business co-owner Jeffrey on the checks.
The checks totaled $49,268 in 2006, $182,560 in 2007, $172,044 in 2008 and $213,560 in 2009. To avoid detection the bookkeeper recorded the checks as having been written to legitimate Wisconsin Kitchen Mart vendors. You can read the story here: Retail Establishment Embezzlement Story.
One reason why thefts such as these go undiscovered for years is that no one – other than perhaps the perpetrator – is looking to see who checks are actually made out to.
Preventing forgeries like these can be difficult. But deterring and detecting them often requires just a few minutes a month to look over bank statements.
a
The TraceTech Solutions’ blog specializes in articles that discuss actual small-business frauds and what small-business owners can do to prevent them. Start from the most-recent article here: TraceTech Solutions’ Blog. We publish new articles frequently. If you’d like to receive a new article the instant that it’s published, click on the Subscription link in the upper right part of this page.
TraceTech Solutions provides small businesses with unique low-cost fraud monitoring and detection services. Learn more about TraceTech’s services here: TraceTech Solutions website.
You Are Who You Aren’t
Not very long ago I visited my former employer, a Massachusetts accounting firm. There were some obvious changes. A locked door now prevented any visitor, including me, from walking past the receptionist’s desk. And I had to be escorted throughout my entire stay. It’s unfortunate but identity theft has reached a point where these types of measures are necessary.
Data privacy laws are designed to prevent intruders from stealing personal information. They cannot, though, prevent insiders from doing the same. As I walked through the premises I couldn’t help but think that every tax return being prepared contains information that could be used for identity theft. The entire set of the firm’s returns could be written to one flash drive and taken out of the building in a pocket. And how many HR reports contain sensitive employee data? The entire lot of them could fit onto one CD.
A payroll manager in California air freight office recently used her access to personal information to steal $480,000 – in less than a year and a half – from her employer. She stole a former employee’s identity and added that employee as a co-owner of her credit union account. That done, she authorized payments to be made to that former employee – which went directly into that account. All it took was some numbers – and a lack of oversight. You can read the U.S. Department of Justice report here.
The Information Age has provided us with unimagined opportunities (witness this blog, which you could not have been reading just ten years ago) both good and bad. Countering the bad requires more than locked doors and escorts. It requires vigilance. The work of any employee with the ability and/or authority to disburse a business’ money should be monitored closely. As trustworthy as the vast majority of employees are, one bad apple can cause a $480,00 bad hair day.
a
The TraceTech Solutions’ blog specializes in articles that discuss actual small-business frauds and what small-business owners can do to prevent them. Start from the most-recent article here: TraceTech Solutions’ Blog. We publish new articles frequently. If you’d like to receive a new article the instant that it’s published, click on the Subscription link in the upper right part of this page.
TraceTech Solutions provides small businesses with unique low-cost fraud monitoring and detection services. Learn more about TraceTech’s services here: TraceTech Solutions website.
Overriding Concerns
As long as there are financial controls, there will be employees who override them. Score a point for the bad guys.
The Association of Certified Fraud Examiners’ 2010 Report to the Nations on Occupational Fraud and Abuse makes the following observation:
“In more than 19% of the cases [of the surveyed fraud reports], internal controls were in place but were overridden by the perpetrator or perpetrators in order to commit and conceal the fraud.”
Here’s the rub. Implement lax controls, and vigilance is necessary. Implement strong controls…and vigilance is necessary. That’s the way it is. Dishonest employees with motive and opportunity will find weaknesses in financial controls and exploit them.
Recently, the former general manager of Putnam Lexus in Redwood City, CA was sentenced to four years in prison for stealing over $800,000 from his employer. You can read the story here.
His was an unsophisticated scheme: the GM had the office manager cut checks to the GM after telling the office manager that the owner had approved the checks. A simple override of a good control.
Vigilance prevented the scheme from doing even more damage. The dealership’s owner uncovered the scheme while reviewing the company’s books. But had the scheme been less aggressive ($100,000 a month is pretty noticeable, ya think?), it might still be going on.
TraceTech provides business owners with cost-effective services that can help to expose schemes like this – and many others – before the owner is even are of them. Please contact us for more information.
a
The TraceTech Solutions’ blog specializes in articles that discuss actual small-business frauds and what small-business owners can do to prevent them. Start from the most-recent article here: TraceTech Solutions’ Blog. We publish new articles frequently. If you’d like to receive a new article the instant that it’s published, click on the Subscription link in the upper right part of this page.
TraceTech Solutions provides small businesses with unique low-cost fraud monitoring and detection services. Learn more about TraceTech’s services here: TraceTech Solutions website.
Diverging Interests
“Conjecture:” a guess usually inferred from perceived truths.
Conjectures are an integral step to solving problems. They can often provide enlightening insights – even when they’re incorrect. As an example, consider the following three sentences, extracted from a press release issued by a New Jersey County Prosecutor’s office:
“[name deleted] was the accounts payable clerk for Lynnes Nissan in Bloomfield when it was determined that money was being stolen from the company and that the theft was carried out by an employee. It was determined she was not depositing all the cash she received from the parts and service department into the company bank account.” “Throughout 2007 and 2008 she stole $545,000 from her employer.”
Half a million dollars in two years. No matter how you look at it, that’s quite an aggressive theft.
Let’s start conjecturing.
Conjecture: No one outside the cash flow loop was regularly reconciling cash receipts with cash deposits. Had that happened, this theft would not have gone undetected for two years.
Conjecture: The clerk knew that no one outside the cash flow loop was regularly reconciling cash receipts with cash deposits. After all, she was able to steal half a million dollars before her scheme was detected. Experts say that most frauds require motive, rationalization and opportunity. The three sentences in this example suggest neither a motive nor any kind of rationalization. However, the opportunity was clearly present.
Conjecture: The clerk concealed the theft by “toying” with deposits to make it difficult to trace the receipts. For example, she might have split receipts among multiple accounts. Or she might have delayed depositing some receipts. So had someone tried to reconcile daily receipts with daily deposits, they would have found the going difficult.
Fact: Regardless of day-to-day variances, over a longer term the sum of cash receipts should closely track the sum of cash deposits. That suggests a different approach to detecting this type of embezzlement scheme. Rather than (and perhaps in addition to) reconciling daily receipts with daily deposits, businesses should reconcile longer-term cash receipts with cash deposits. Depending on the business, that might be a weekly reconciliation. Or a monthly reconciliation. Regardless, if over the long term, total cash receipts diverge from total cash deposits, find the cause.
Fact: TraceTech examines daily and long-term cash receipts vs. cash deposits as part of its Fraud Checkup service.
a
The TraceTech Solutions’ blog specializes in articles that discuss actual small-business frauds and what small-business owners can do to prevent them. Start from the most-recent article here: TraceTech Solutions’ Blog. We publish new articles frequently. If you’d like to receive a new article the instant that it’s published, click on the Subscription link in the upper right part of this page.
TraceTech Solutions provides small businesses with unique low-cost fraud monitoring and detection services. Learn more about TraceTech’s services here: TraceTech Solutions website.
