Congratulations — you’ve built an organization where people are proud to work. You lead with integrity, your products or services are top-notch, your clients/customers are happy, and your workplace culture feels like a functional family working toward a common goal, not a motley crew of colleagues and employees pulling in different directions.
So why do you have that sinking feeling that someone might be stealing from you?
Simple: Because there’s a high likelihood they are!
According to research compiled by Zippia in 2022, about 75 percent of U.S. businesses are affected by employee theft, with three out of every four employees admitting to stealing from their employer at least once.
Small and mid-size businesses — those with 150 employees or fewer — tend to be prime targets, according to more than one recent survey by specialty insurance company Hiscox. Findings revealed that those businesses are home to 80 percent of embezzlements, 30 percent of which lose more than $500,000.
If that kind of hit isn’t frightening enough, consider the Society for Human Resource Management’s (SHRM’s) estimate that employee theft is linked to 33 percent of corporate bankruptcies. Even businesses that survive do not emerge unscathed. Consider the collateral damage Hiscox’ survey-takers reported: a wrecked reputation, lost customers and business partners, and difficulty attracting new customers.
Clearly, whether you have a hunch someone is stealing from your organization, or you’re simply (and rightfully) worried there are opportunities to do so, acting quickly is imperative.
The typical fraud case lasts 12 months before detection, with a loss of $8,300 per month, or about 5 percent of revenue, according to the Occupational Fraud 2022 report from the Association of Certified Fraud Examiners (ACFE).
Daunting as it might seem, you’re not powerless to prevent and detect such rampant dishonesty from taking down your company. How? By doing what ACFE states nearly one-third of companies affected by fraud don’t do: put robust internal controls in place —and make certain controls you already have are effective and continuously monitored.
Step One: Recognize Where Fraud and Theft Can Happen
According to ACFE’s 2022 report, fraud cases most commonly occur in these four areas of an organization: operations, accounting, executive and upper management, and sales.
(Worth noting: ACFE finds that executives commit only 23 percent of occupational fraud but cause the most substantial losses — generally $337,000, as compared to management’s $125,000, and staff employees’ $50,000.)
A multitude of opportunities exist to exploit a business or an organization. Some common methods of embezzlement include: falsifying timecards; stealing cash, property, merchandise, or sensitive data; asset misappropriation; skimming customer credit cards or chunks of cash before the latter is entered in the books; tampering with checks and payments; fraudulent billing; and intentional material misstatements or omissions in the company’s financial statements.
Step Two: Conduct a Risk Assessment
Unless you’re a fraud, accounting, and cybersecurity pro, identifying every opportunity a bad actor could exploit within your organization isn’t likely something you can or should manage alone or in-house. By using control mechanisms, you can certainly manage risks and help identify potentially fraudulent activities by optimizing the following accounting functions:
Budgeting, Accounting, and Financial Reporting
- Are ledgers reconciled with supporting documentation in a timely manner?
- Is the person reconciling transactions the same person initiating and finalizing them?
- Who reviews (and documents their review of) all reconciled transactions and supporting documentation?
- Do the financial reports compare budgeted balances with actual financial activity, and are those generated and reviewed by appropriate management
Cash, Collections, and Deposits
- Are the collection and deposit preparation functions segregated from other accounting functions, including accounts receivable and general bookkeeping?
- Are all types of cash (cash received from customers, petty cash for day-to-day operations, change, etc.) accounted for and posted immediately, quickly deposited or physically stored in a safe place, and are receipts issued for collections received in person or through mail?
- How often are receipts and deposits reconciled — daily or when received, etc.?
Purchasing and Disbursement
- Are at least two people dividing responsibility for making and receiving purchases, processing invoices for payment, and reconciling purchases with documentation?
- Who reviews the recorded charges?
- Does that individual regularly inquire about any charges that look unfamiliar and ascertain that all purchases — even those made at approved vendors — are actually used for their intended purposes?
- What controls are in place to ensure that returned purchases are refunded or credited back to the organization?
- Are controls in place to review and approve vendor invoices and employee expenses/reimbursements, as well as to prevent errant or duplicate payments?
- Is someone with sufficient knowledge of the operations empowered with the authority to review and approve or deny purchasing card transactions?
In truth, the above areas and questions are just the beginning. Payroll schemes, billing schemes, understated revenues, fictitious revenues, improper disclosures or asset valuations, invoice kickbacks, false sales and shipping — there are dozens of ways a bad actor (or more seriously, several bad actors working together) can bilk your company or organization.
Step Three: Prevent
Ideally, you have in place a code of ethics or conduct outlining the company’s overall expectations, and one that is further strengthened by clear-cut policies outlining specific financial rules for each risk area within the company (e.g., what is and isn’t an appropriate business expense, what authorizations are required, how and when expense reports must be handled, and what should be included, etc.).
Policies should apply to all employees yet must be tailored to different roles and levels of authority, and any violation should be immediately addressed. The goal is not to create a culture of fear but to clearly communicate that mechanisms, processes, and monitoring are continuously at work in a concerted effort to prevent fraud and theft.
Perhaps no mechanism is as useful in preventing fraud and theft as the segregation of duties. There are far more processes that would benefit from segregation than can be detailed here, but in general, the tasks that are most important to segregate are authorizations or approvals, custody of assets, recording transactions, and reconciliation of those transactions.
It’s imperative that you identify and implement segregation of duties in as many processes as possible. Obviously, for small- and even mid-sized companies already lacking adequate manpower, that isn’t always feasible. If that’s the case in your company or organization, consider outsourcing to a third-party firm to handle, back up, or oversee your existing workflow (or portions of) in bookkeeping, accounting, HR, and/or IT so that you can confirm that no single employee has the ability to both commit and conceal theft or fraud as they fulfill their usual duties.
At the very least, work with a third party that’s adept at helping organizations incorporate or leverage technologies that can mimic the segregation of incompatible duties and the checks and balances that a company with a larger staff could manage —ideally, a firm that is adept in accounting, IT/cybersecurity, and fraud prevention and response.
Step Four: Take Action
Unfortunately, many organizations don’t look for a reliable firm until it finds itself in an emergency situation where theft or fraud has likely occurred. So, what to do if you sense or see potential opportunities, signs, or — worst case scenario — evidence of theft or fraud? To protect yourself, your organization and its data and customers, the most effective approach is hiring an experienced financial services and business advisory firm with expertise in risk management and forensic accounting to:
- Conduct a 360-degree evaluation of your operations
- Identify any vulnerabilities
- Offer recommendations to close the gaps
- Work with you to implement changes in processes, technology, etc. to mitigate risk and continuously monitor operations
When theft or fraud has most likely occurred, we recommend you do not confront or accuse anyone, under any circumstance. Instead, consult with a forensic accounting team to investigate, gather evidence, and report on findings. You will want to make sure the team is licensed and are fully credentialed professionals who can not only conduct a forensic review and perform a full investigation for fraud, embezzlement, and other related matters, but also provide the necessary reports suitable for litigation, as well as provide expert testimony in support of any findings.
If you’re comparing two or more firms, be sure to ask about their experience in these types of cases and whether they have previously offered testimony. Bottom line: If you’re taking bids and there is a large discrepancy in the total between two or more, drill down into each estimate and press for details on the specific services provided; a firm should be able to provide a solid understanding of and be able to explain what kind of time is needed for your specific case.
With the implementation of a strong internal control environment, as well as some luck, you won’t need to make an urgent call for help after discovering a catastrophic theft or fraud, and you won’t ever be in a position where you have to doubt the honesty or intentions of your employees or business partners. You’ll have all the necessary policies, technologies, and internal controls at work and continuously monitored, preventing opportunities large and small, and protecting your organization — and the functional family that truly is working toward a common goal.
Interested in gaining that kind of peace of mind? Give us a call to schedule an independent review of your company, organization, or municipality’s current ERP and accounting systems and internal controls, complete with recommendations for improvements tailored to its unique needs and means.
To get started, download our one-page guide – The Great Advantage: 5 Outcomes Your Organization Can Experience with Outside Help: https://go.rehmann.com/Solutions
Boasting over 30 years of experience in public accounting, Tony DiVito specializes in accounting software analysis and internal controls assessments. As a trusted consultant, he documents processes and procedures, identifies risks, performs comprehensive internal control analyses, and organizes software demonstrations to ensure that his clients select ERP and accounting systems with confidence. He has extensive experience providing accounting, tax, software support, internal control, fraud prevention and forensic accounting services to closely held businesses. Tony can be reached at 248.458.7892 or [email protected].
Avi Beliak, a CPA licensed in both Michigan and Arizona, has focused primarily on forensic accounting since entering the industry in 2006. His client base ranges from corporate entities to government agencies. Avi conducts forensic reviews and audits of financial records related to investigations of fraud, embezzlement, and the like for clients that range from corporate entities to government agencies. He has vast experience working closely with attorneys, law enforcement, bank officials, and corporate representatives to gather documents and assess processes, and is able to provide expert testimony. Avi holds a Certified in Financial Forensics (CFF) designation from the American Institute of Certified Public Accountants and is a Certified Fraud Examiner (CFE) through the Association of Certified Fraud Examiners. Avi can be reached at 248.614.6461 or [email protected].