Every organization faces some risk of fraud from within. Fraud exposure can be classified into three broad categories: asset misappropriation, corruption and fraudulent financial statements.
Answering the following 15 questions is a good starting point for sizing up a company’s vulnerability to fraud and creating an action plan for lessening the risks. The questions are based on information from the 2007 edition of the Fraud Examiners Manual published by the Association of Certified Fraud Examiners.
1. Do one or two key employees appear to dominate the company?
If control is centered in the hands of a few key employees, those individuals should be under heightened scrutiny for compliance with internal controls and other policies and procedures.
2. Do any key employees appear to have a close association with vendors?
Employees with a close relationship to a vendor should be prohibited from approving transactions with that vendor. Alternatively, transactions between these parties should be reviewed on a regular basis for compliance with internal controls.
3. Do any key employees have outside business interests that might conflict with their job duties?
Take the example of a 32-year-old sales representative who started a software company using his employer’s time, equipment and facilities. The software company he worked for discovered that the employee demonstrated his own products to the company’s customers. Ultimately, the employee diverted $500,000 in business away from his employer.
The example illustrates why key employees should provide annual financial disclosures that list outside business interests. Many companies, particularly publicly traded companies, require such disclosures. Interests that conflict with the organization’s interests should be prohibited. Organizations should implement an explicit policy that forbids employee business activities that directly compete with the operations of the organization.
Employees who have something to hide may lie or omit key facts on the disclosure form, but requiring the step still has advantages, such as making it easier to fire workers who fail to reveal potential conflicts. If an employer can show that an employee had such an interest and failed to disclose it on an annual reporting form, the employee can be fired simply for failing to follow company policy.
4. Does the organization conduct pre-employment background checks to identify previous dishonest or unethical behavior?
Organizations should conduct pre-employment background checks before offering employment to any key applicant. The scope of a background check varies by position, but a general list to consider includes: criminal records and convictions; Social Security number verification; credit history; previous employment; employment references; personal references; education verification; professional license verification; driver’s license verification and driving history check; and civil records and judgments. Employers should ensure that legal requirements are met for the use of and access to the information.
For companies that have failed to do background checks, post-hire screenings may be appropriate in some cases, but should be conducted on the advice of legal counsel. A number of legal issues come into play when employers consider screening workers who are already on the job.
5. Does the organization educate employees about the importance of ethics and anti-fraud programs?
All employees should receive training on the ethics and anti-fraud policies of the organization. The employees should sign an acknowledgement that they have received the training and understand the policies.
6. Does the organization provide an anonymous way to report suspected violations of the ethics and anti-fraud policies?
Organizations should provide employees, vendors and customers with a confidential system for reporting suspected violations of the ethics and anti-fraud policies. According to the 2006 ACFE Report to the Nation on Occupational Fraud and Abuse , frauds are most commonly detected by a tip. The greatest percentage of those tips comes from employees of the victim organization.
In one instance, an anonymous tip received by a fraud hotline thwarted a fraud scheme that had drained approximately $580,000 from a business. The caller reported that the company’s accounts payable manager was approving fictitious invoices from his own outside company. The tip clued in company management to the scheme and brought an abrupt end to the manager’s windfall. The fraudster was terminated and arrested. The company ultimately recouped most of its losses.
7. Is job or assignment rotation mandatory for employees who handle cash receipts and accounting duties ?
Job or assignment rotation should be considered for employees who work with cash receipts and accounting duties. The frequency of the rotation depends on the individual’s responsibilities and the number of people available for the revolving duties.
8. Has the company established positive pay controls with its bank by supplying the bank with a daily list of checks issued and authorized for payment?
One method for a company to help prevent check fraud is to establish positive pay controls by supplying its banks with a daily list of checks issued and authorized for payment. Banks verify items presented for payment against the company’s list and reject items that don’t appear on the list.
The use of those controls foiled a fraud attempt by an employee and his accomplice, who worked for a check-printing company. The accomplice printed blank checks with the account number belonging to the perpetrator’s employer. The perpetrator then wrote more than $100,000 worth of forgeries on the counterfeit checks.
When the checks were presented to the bank for payment, they did not appear on the organization’s list of expected payments. The bank refused to cash them. The organization was notified, and the fraudsters were arrested.
9. Are refunds, voids and discounts evaluated on a routine basis to identify patterns of activity among employees, departments, shifts or merchandise?
Companies should routinely evaluate those transactions to search for patterns of activity that might signal fraud.
10. Are purchasing and receiving functions separate from invoice processing, accounts payable and general ledger functions?
Segregation of duties is an important control. The failure to segregate these duties allowed one large, publicly traded company to be duped by a member of its managerial staff. The individual managed a remote location of the company and was authorized to order supplies and approve vendor invoices for payment. For more than a year, the manager routinely added personal items and supplies for his own business to orders made on behalf of his employer. The orders often included a strange mix of items. For instance, technical supplies and home furnishings were purchased in the same order.
In addition to ordering personal items, the employee changed the delivery address for certain supplies so they were shipped directly to his home or side business. Because the manager was in a position to approve his own purchases, he could get away with such blatantly obvious frauds. The scheme cost his employer approximately $300,000 in unnecessary purchases.
11. Is the employee payroll list periodically reviewed for duplicate or missing Social Security numbers?
Organizations should check the employee payroll list periodically for duplicate or missing Social Security numbers that may indicate a ghost employee or overlapping payments to current employees.
12. Are there policies and procedures addressing the identification, classification and handling of proprietary information?
To help prevent the theft and misuse of intellectual property, the company should implement policies and procedures addressing the identification, classification and handling of proprietary information.
13. Do employees who have access to proprietary information sign nondisclosure agreements?
All employees who have access to proprietary information should sign nondisclosure agreements. It is easier to sue for breach of a nondisclosure agreement than it is to sue for theft of information. Nondisclosure agreements afford companies legal options for the use of nonpublic information, not simply for information that is considered a trade secret.
In most states, companies without nondisclosure agreements may be limited to suing for theft of trade secret information.
14. Is there a company policy that addresses the receipt of gifts, discounts and services offered by a supplier or customer?
Organizations should implement a policy that sets ground rules about employees accepting gifts, discounts and services offered by a supplier or customer. If no explicit policy is in place, employees may find themselves in ambiguous situations without clear ethical guidelines.
For example, a city commissioner negotiated a land development deal with a group of private investors. After the deal was approved, the commissioner and his wife were rewarded by one of the investors with an all-expenses-paid international vacation.
While the promise of the trip may have influenced the commissioner’s negotiations, this would be difficult to prove. However, had a clear policy regarding the receipt of gifts been implemented and enforced, the commissioner would have known that accepting the free vacation was a violation of the rules. The ambiguity of the situation would have been avoided.
15. Are the organization’s financial goals and objectives realistic ?
Closely monitor compliance with internal controls over financial reporting if the financial goals and objectives appear to be unrealistic. Establish realistic financial goals and objectives for the organization. Common justifications for financial statement fraud include a desire to obtain bonuses linked to goals or frustration with objectives that were unachievable through normal means.
Joseph T. Wells, CPA, CFE, is founder and chairman of the Association of Certified Fraud Examiners and a contributing editor to the JofA . His e-mail address is email@example.com. John D. Gill, J.D., CFE, is research director for the Association of Certified Fraud Examiners. His e-mail address is firstname.lastname@example.org.