Fraud Lurks: Business Risk Assessment – For YOUR Business

This is the fifth installment of our “Fraud Lurks” series.  Like any good mini-series, each article can stand on its own but is most valuable when read in context with the earlier articles.  This month we will build on the premise that all businesses should conduct a Business Risk Assessment and make certain internal controls are implemented to guard their most vulnerable areas.

My fear, of course, is I scared some of you off last month.  That Business Risk Assessment sounds like a lot of work and seems like it requires specialized knowledge.  Not really.  The specialized knowledge you need is what you already have – knowledge of your business.

I absolutely want you to perform the Business Risk Assessment.  To look at that another way, just ask yourself:

1. In what areas are we vulnerable?
2. What can reasonably go wrong?
3. If you were to steal from your company, how hard would it be?
4. What would you steal and how would you do it?

If your greatest concerns are some unauthorized mail through the postage meter and missing tape at Christmas time, you’re in good shape.  Chances are you have much greater issues.

I like to ask clients and would-be clients, “What keeps you up at night?  What would seriously cripple you if it were to happen?”

One client mentioned the lifeline of his business was their proprietary drawings and product designs. When I asked where they were stored he replied, “In the computer of course, but we keep a hard copy in a file cabinet.”   I walked over to the file cabinet and it was unlocked.  I asked a nearby employee about it and she told me the key seemed to be lost so they no longer lock that cabinet.  When I asked who had access to the files stored electronically and what controls they had implemented to limit access to only who needed it, the answers were not pretty.

Another client suggested it was his customer list and customer-specific pricing.  Limited controls there as well.

If your company has inventory, appropriate controls will depend on what that inventory is.  In article 3, I discussed how vulnerable auto parts were to theft.  This holds true for almost any retail establishment.  However, if your product is granite slabs or concrete blocks, inventory risk is different.

All this goes back to YOUR Business Risk Assessment.   You know your business, your people, and yourself.  You can do this.  While on the subject of “your people” I do not want to hear, “Mary does that.  She is honest as can be; I’m not concerned there.”  Let me tell you in nearly every fraud I have investigated, someone says something to the effect of, “I never would have suspected him/her.”  News Flash: In order to have the opportunity to steal, the perpetrator has to be a trusted employee.  Because you are watching the employees you don’t trust!

A few tips on specific controls once you have identified the areas which need controls.

1. If the control is complicated and/or difficult, that control will be over-ridden. For example, a clerk needs to get signed approval multiple times a day from someone who sits on the other side of the office.   Or two signatures required on every check.  I’ve seen this near valueless control frustrate employees to no end.
2. If the control requires top management to approve day-to-day transactions, it is unlikely to be successful. Management will tend to override that control feeling they have better things to do.
3. If the control requires a supervisor’s subordinate to sign off as having reviewed the transaction, it doesn’t go well.

Instead, do the following:

1. Keep controls simple.
2. Be clear who is accountable. Who is accountable in the “two signature” policy?  Neither party, since each assumes the other person reviewed the disbursement.
3. Use detective controls which allow for batching data and can be very efficient.
   1. I can’t set up a phony vendor – he/she will spot that upon review of the bank statement.
   2. Same with phantom employees – the President reviews the W-2s and I will get caught.
4. I can’t let that go without further mention. You should review payroll more frequently than annually but YOU MUST review the company’s W’2s at year-end.  This once a year, 15-minute exercise is an incredibly valuable control that can identify:
   1. Phantom employees
   2. Unauthorized bonuses, overpaid overtime, etc.
   3. Employees with no Federal withholding – these might be income tax dodgers
   4. Employees who somehow made much more than that position warrants
5. Have an anti-theft policy in your employee handbook. Make it clear theft is not acceptable and what the consequences of theft are.
6. Institute a confidential fraud reporting hotline. This could be to a designated person, in HR for example, or an outside company.

Make this your internal controls mantra:

• Specific to your company
• Considerate of your size and complexity
• Easy to follow and administer
• Become part of the company’s culture

If you want or need help, we are here to assist.

I’m going to lighten it up the next few months.  I will provide descriptions of actual fraud cases on which I worked, without identifying names.  We will review what happened, why it happened, and what controls could have prevented or, at least minimized damages.

Lastly, I am always interested in your feedback.  Feel free to email me (olejarski@hwco.com) with your comments.