Our Top-Ten Steps to Fraud Prevention

A recent article in The Wall Street Journal* on employee fraud caught my attention.  The premise of the article is that more employee frauds are being committed in these difficult economic times.  Some business owners assume their business decline is due to the economy rather than a back office fraud.  Or, they may make the connection after cash is depleted and the business is failing.  How sad is that given that fraud is preventable.

The terms fraud prevention or fraud risk management are to me synonymous with the term “Internal Accounting Controls”.  I will frame this discussion using that terminology.  My recollection of the definition of Internal Accounting Controls (going back to graduate school and the CPA exam) goes something like this:

Internal Accounting Controls are those processes that provide reasonable, but not absolute, assurance that the misuse or misappropriation of assets is prevented or detected in the normal course of an accounting period and that financial statements are prepared on a timely basis and present fairly the results of operations and financial position of the entity.  Internal Accounting Controls are documented and all transactions are authorized and correct as to account, amount and timing.

Many business owners or senior mangers often place greater importance on trust than on implementing fundamental Internal Accounting Controls.  I once conducted a fraud investigation for a major non-for-profit medical foundation.  Our investigation found that a long-time, trusted and popular employee had defrauded the foundation out of a significant sum of money.  He had been there 17 years, never took vacation, volunteered for special projects and everyone liked him and his lovely wife.  In fact, that profile is often typical of someone who commits a fraud; a long-term employee who never takes vacations, volunteers for special projects and is well liked.  Think about it.  They have been around long enough to earn trust, figure out what management will and will not look at, never take vacations and volunteer for special projects to ensure no one pokes around in what they are doing.

One take away from that experience is that the foundation’s executive director had some level of responsibility for his employee’s demise.  The director presented an attitude of disdain for back office minutia.  He had placed employee trust ahead of fundamental Internal Accounting Controls thereby creating an opportunistic environment.  At that instance in time, the employee had a family member with mounting medical expenses.  When the opportunity presented itself, the employee stole.  As the economy continues on its present course, seemingly trustworthy people with increasingly desperate financial difficulties will do the same thing too.

Here are our top-ten steps for improving Internal Accounting Controls.  This is certainly not a complete list and, as you can imagine, it is hard to keep it to ten.  Nevertheless, it is a good start for any business owner or senior managers of any company.

  1. Control Cash Coming In the Door.  There are essentially two means for doing this.  (1) Log all checks received at a company’s offices into a bound journal book before forwarding to Accounting.  Compare that day’s journal entries to the day’s deposit slips brought back from the bank.  The person who sorts and opens customer payment envelopes, outside of Accounting, maintains this log and keeps the daily deposit slips.  Periodically, the business owner or a senior manager compares the journal to the deposit slips and to the deposits (debits) in the Cash Account in the General Ledger, investigating any differences.  (2) Utilize the services of a bank lock box so that checks are automatically deposited.  This is an especially good solution in small offices that do not have good segregation of duties.  These two solutions will help control the cash inflow side of the equation.
 
  1. Control Cash Going Out the Door.  An analysis of each population of Purchasing, Accounts Payable and Cash Disbursement transactions will reveal that 20 percent of those transactions will represent 80 percent of the dollars.  So, enhance the controls over the 20 percent of the transactions that represent 80 percent of the dollars by ensuring that those transactions are fully reviewed and approved by the business owner or a senior manager.  For guidance on implementing the 80/20 rule, please visit our Our Thought Leadership web site page and peruse the article entitled “Controlling the Cost of Management Controls”.  This will help control the cash outflow side of the equation.
  1. Inspect Checks and Bank Statements. The business owner or a senior manager should be receiving all bank statement envelopes unopened each month.  That person should review the statements for any unusual transactions and should inspect the front and back of each check returned by the bank for unusual payees or endorsements that don’t match the payee name.
  1. Control Master File Records. By “Master File Records” we mean the Vendor addressing particulars in the Accounts Payable system and Employee addressing and pay rate particulars in the Payroll system.  Initially, the business owner or a senior manager should inspect all Vendor records to look for unusual or unknown vendors.  Likewise, this should be done for the Employee Master File Records in the Payroll system, looking for unknown or terminated employees, matching addresses or unusual pay rates.  Once that is done, access to modify those records should be restricted to ensure that phony vendors or employees are not introduced or that addresses, direct deposit information or pay rates are not changed without authorization.  Then on a monthly basis, these Master File Records should be re-reviewed.  All Vendor payment envelopes or 1099s returned undeliverable by the Post Office should be routed directly to the business owner or a senior manager for investigation.  Likewise, returned envelopes for Payroll checks, direct deposit remittance advices or W-2s should receive similar scrutiny.
  1. Conduct Surprise Payroll Payouts.  In addition to locking up the Payroll Master File (item 4 above) Business Owners or senior managers should periodically perform an Audit procedure known as a Surprise Payroll Payout.  In this procedure, each employee must obtain their Payroll check or Payroll remittance advice (for direct deposit people) in person from someone outside the Payroll department and must verify who they are by showing an ID card.  Any unclaimed checks or deposit slips are investigated as that could represent a fictitious employee.
  1. Review All Company Credit Card Statements.  I was speaking to an early-stage client recently and learned that the CFO/Controller, whom I had only met on several occasions, had perpetrated a credit card fraud amounting to over $100,000. He looked like a trustworthy fellow. He had been charging personal items to the company credit card, having the items delivered to his home.  A growing trend is to pay vendors via a company credit card.  This is not a bad thing since it provides for Accounts Payable process efficiencies and member reward points or airline miles. However, all too often the company credit card statements go to someone in Accounting and receive no greater scrutiny than a clerk expediting payment to avoid an embarrassment at a restaurant. All credit card statements should be reviewed by the Business Owner or a senior manager before being forwarded to Accounting for payment.
  1. Segregate Key Duties.  The essence of this is that you want to segregate duties between people who have access to assets from those who account for the assets.  You would also want to segregate duties between people who authorize transactions from those who account for transactions.  This is not an easy thing to accomplish in a small office environment, but it is not impossible.  It takes some thought to figure it out and it all depends on the organization of each specific office environment.
  1. Take a Look In the General Ledger.  I was once a turnaround CFO/Controller for significant region of a publicly-held company.  I was brought in as a “clean up batter” after the company had discovered significant Accounting fraud.  Early into this situation I was working late one night preparing the upcoming year’s budget.  I had asked an accountant to budget the office telephone and electric expenses by inflating the past year’s expenses by the forecasted CPI for the upcoming year.  She came back with a budgeted expense amount that was some $350,000 more than I had expected.  I asked her why and she said it was “because of the credits.”  At first I didn’t get it but then it came to me.  In an effort to hide losses, the prior CFO/Controller had credited these utility expenses with offsetting debits going to obscure accrual accounts that we had not yet analyzed.  The lesson is that if someone is hiding something, one of the fastest ways of finding it is to look through the General Ledger for unusual transactions.  Not many Business Owners or senior managers will know how to do that.  It is time to learn how!
  1. Tighten Up Budgets and Insist On Timely Variance Reporting.  Even with the best Internal Accounting Controls, it is still possible for a fraud to occur.  You try to minimize the opportunities through “preventive controls” but it is not possible to eliminate them all.  Then you have to fall back on “detective controls”.  One of the best detective controls is to establish tight budgets and insist on timely monthly financial reports; i.e., variance reports.  Investigate any variances from the expected for indications of a possible fraud.
  1. Document Accounting Processes and Procedures.  A fundamental attribute of any system of Internal Accounting Controls is written process documentation to ensure training and ongoing compliance.  I cannot tell you how many issues of non-compliance go undisciplined because of the excuse that processes were not written, hence you cannot expect compliance.  Furthermore, in today’s regulatory environment, auditors and regulators are more often insisting on reviewing written procedural documentation at the start of any audit.  If that documentation does not exist, is inadequate or out of date that becomes a major finding.  For guidance on process documentation, please visit our Our Thought Leadership web site page and peruse the article entitled “The Process of Process Documentation”.
Our “Top-Ten Steps to Fraud Prevention” can be implemented by owner-managers of small businesses as well as by senior managers of larger companies.  In fact, I implemented these same steps in a $350 million publicly-held company with 7,000 employees during my tenure there as an interim Regional CFO/Controller.
_____________________________________
Covel, Simona.  “Small Businesses Face More Fraud in Downturn: Employees Engage
in Check Forgery, Petty-Cash Theft; Managers Sometimes Mistakenly Blame
Lower Sales Instead of Foul Play.”   The Wall Street Journal.  19 Feb.2009: B5.

 

© 2009.  The Fast Track Group, LLC.  All Rights Reserved.

last edited on February 25th, 2009 at 2:25 PM

The Process of Process Documentation

Written process documentation is a key attribute of any system of internal controls.  And, the trend today in auditing, compliance and risk management is towards requiring more written documentation of a wider range of a company’s policies and procedures.  This is not just true for public companies but also for private companies and not-for-profits as well.

Many companies lack process documentation.  This is because the writing process is more involved than just setting pen to paper.  It involves thinking about how you currently do something and questioning whether or not there’s a better way to do it.  And, that gives rise to “change” which is a difficult enough process to manage.  We believe there is no better way to improve processes than to set about to write them down.  It is that exercise that identifies and forces decisions about change.
Too often process documentation projects are assigned to internal teams and fail for a variety of reasons, including:
  • The project is assigned to people that already have “day jobs” with higher priorities;
  • The internal team, though great in their current roles, lack the writing and flowcharting skills, experience or process investigation disciplines required for a process documentation project;
  • The internal team lacks project management methodologies such as documentation formats and templates gained and developed over a large number of similar projects; and
  • Many internal team members will lack the meeting facilitation skills needed to champion meaningful change that may be opposed by colleagues.
Managing change and documenting processes is something we’re heavily experienced at.  We have completed numerous Process Improvement projects (which are all about change management) and the by product of that is always written process documentation.  To prepare that project deliverable in an efficient and timely manner, we have developed a structured approach to process documentation which always consists of two phases of work.  In Phase I we determine the scope of the documentation project and establish the project work plans.  In Phase II we undertake Process Improvement and process documentation.  Here is a highly summarized presentation of our approach.
PHASE I
Develop the Table of Contents
We always start by developing the Table of Contents.  To do this we facilitate a client meeting using white boards and flip charts listing all the processes in a “cradle to grave” order.  This is called “process decomposition” meeting.  The Table of Contents defines the scope of the project and serves as a project road map.
While developing the Table of Contents, we always keep to the rule, “Process titles start with a verb”.  By structuring the Table of Contents so that each line starts with a verb, we are essentially describing in that first word what is being done by that process.  Then, one only needs to scan the Table of Contents to get a good insight to the overall processes.
It is important to develop the Table of Contents at the right level of detail.  Otherwise either the manual is too high level and is useless or too detailed and never gets read.  We usually go down two to three levels of detail only: (1) Mega processes; (2) Main processes; and (3) Sub processes.  Sometimes we combine sections other times we break them apart until we get the right level of detail.  We don’t try to write at the “desk top procedures” level as that is way too detailed.
 
Finalize the Project Plan
Once the Table of Contents has been finalized we now know the scope of the manual to be written by the number of processes listed in the Table of Contents.  We then develop a detailed project plan using the Microsoft Project tool and we also develop a matrix that lists each section of the manual and the various steps to be performed on each section.  We then track our progress against both the project plan and the matrix to identify any section that warrants attention.
PHASE II
Conduct Process Interviews
Only after Phase I has been completed is it time to begin process interviews.  When drafting any new section of a process manual, we begin by interviewing the “Process Owner” or Go to Person; that’s the person that knows the most about how that process is being performed.  That is how we learn how the process is performed within the context of a client’s unique operating environment.  That person might also be a good source of Process Improvement ideas.
Identify Improvements to the “As Is” Processes
Once we have conducted the process interview with the Go to Person, we consider how the process is currently functioning as compared with our experience with how it should be functioning.  We then begin determining how the process should work in a new “will be” environment, not in the “as is”.  After all, we are consultants not scribes and our clients usually don’t bring us in to document what they do, but what they should be doing.
Document the “Will Be” Processes
We have found that the most efficient process documentation format is a combination of flowcharts and narratives.  Think of a two column document with flowcharts down the left and narrative down the right.  We use Microsoft Visio to develop the flowcharts, and copy and past them into Microsoft Word.  The Word document we use is a template with the two vertical columns and with headers and footers already established.  Naturally, there are many timesaving tricks we use in this process and the templates make it goes surprisingly quickly.
Build Team Consensus for Change
We take a highly collaborative approach on each documentation project in order to create buy in for the change we are recommending.  Accordingly, we meet with the client’s project team weekly to review the documentation sections we’ve completed and to build consensus on the process changes we are proposing in order to take the client from the “as is” to the “will be”.
Process documentation is a key attribute of any system of internal controls and auditors, compliance officers and risk managers are more often insisting on proper and up-to-date process documentation.  Process documentation projects are undoubtedly big efforts – usually not well suited to internally organized ad hoc teams.  However, a properly structured and executed process documentation project will lead to the bigger goal of process efficiency and efficacy as a result of the process improvements that are identified during the writing process.
This is a highly summarized version of our more detailed of our process documentation white paper. To view that, please download our white paper in PDF format by following this link to: FTG Approach to Process Documentation.
© 2009, The Fast Track Group, LLC. All Rights Reserved.

last edited on February 2nd, 2009 at 8:00 AM