How to Protect Your Business Against Fraud
The amount of fraud being perpetrated against businesses is getting worse, both in terms of the number of instances and the amount of money that is being lost, and some of that can be attributed to worsening economic times, according to research. Almost half of the companies around the world surveyed by PriceWaterhouseCoopers (www.pwc.com) in 2009 reported that they suffered one or more instance of economic crimes. The survey, which involved 3,000 executives of businesses large and small in 54 countries, found that 88 percent of U.S. companies that reported some type of fraud also reported declines in financial performances. In addition, three-fourths of the crimes against businesses in the U.S. were carried out by insiders.
For small and mid-sized businesses, the vulnerability to fraud can be compounded because of the sometimes informal nature and the fact that fewer staff members can result in less oversight -- and a lack of checks and balances.
'Small businesses tend to be very informal in nature. A lot of times they're either formed with friends or family members, and all the formalities are not in place as they would be in a larger business,' says Elena N. Lougovskaia, co-founder of Lougovskaia Boop, LLC (www.lougoboop.com), a law practice in Cleveland, Ohio, focused on business law and commercial litigation. 'Employees wear many different hats and perhaps decision makers should be separated from people who sign the checks or one person should be responsible for signing check and a separate person should be responsible for accounting, processing invoices, and purchasing.'
The following pages will cover the types of fraud against business, how to detect fraud in your business, and how to set up policies and procedures to prevent your business becoming a victim of fraud.
Dig Deeper: Are Your Staffers Stealing from You?
How to Protect Your Business against Fraud: Types of Fraud against Business
The media is filled with stories of consumer victims of fraud. But the reality is that businesses, especially smaller enterprises, are more often the victims of fraud than consumers. The types of fraud can vary wildly, from accounting scams carried out by employees to fraudulent returns from customers to data theft by outsiders. Businesses have less protection than the consumer and, in some cases, can be held responsible in a business fraud scheme, owing liability to banks, shareholders, insurers, credit card processors and other entities. New laws also hold businesses accountable for liability in the event of some types of fraud perpetrated by third parties, such as data breaches.
Sources of Business Fraud
In order to understand the types of fraud that your business may be vulnerable to, you must first understand the different sources of these crimes. Most professionals agree that the top sources of business fraud, ranked in the order of frequency and cost, are as follows:
Employees and Officers
In previous surveys, PriceWaterhouseCoopers had found that the sources of crimes against business were evenly split between insiders and outsiders. But in the 2009 survey, the numbers tipped in favor of insiders carrying out the majority of crimes -- in 76 percent of the cases in the U.S., according to the survey. The increased financial pressures in many companies have also prompted a rise in the amount of fraud committed by middle managers, which now accounts for 42 percent of internal frauds globally from 26 percent in 2007, the survey found. Meanwhile, the Association of Certified Fraud Examiners (ACFE) (www.acfe.com) estimates that business organizations lose 5 percent of annual revenue to fraud by employees and officers.
'Managers and small business owners have a tendency to trust their employees to a higher degree and, because they are doing more, they may not be as detail oriented as they should be,' says Allan Bachman, education manager for the ACFE. 'That level of trust is often betrayed. Sometimes employees start taking advantage of the fact that the boss isn't looking and thinks I'm doing a great job.'
The most common types of insider frauds include theft of assets and accounting frauds, but this type of crime can also include other categories, such as fraudulent worker's compensation claims. 'If you're in a no-fault worker's compensation state, as long as they're injured within the scope of employment, they can receive compensation for their injuries,' Lougovskaia says. 'That's an area where employees could be taking advantage.'
Employees, managers, and directors have the inside track and understand how a business works. That's why they are able to perpetrate so many different types of schemes -- and how they can often go undetected. Bachman says that the biggest source of insider fraud against businesses involves purchasing and procurement of goods and supplies. Insiders may be buying more goods than a business needs and lining their own pockets or paying invoices to an external third party for fraudulent orders. Other common schemes, says Bachman, include creating fictitious vendors or no-show employees -- who get paid for doing nothing. Accounts payable is another area where insiders may be skimming money by taking cash payments and failing to report them or replacing today's payments with cash paid at later dates.
Customers can also be notorious for trying to perpetrate fraud against businesses. Whether writing bad checks, using stolen credit cards, returning items not purchased from a business, or filing fraudulent injury and liability claims, there are a whole host of schemes that customers can perpetrate that will cost your business money.
'This is a very litigious society, so if you own a store or surface where customers walk or you have a parking lot, you are susceptible to people claiming they fell and injured themselves,' Lougovskaia says. 'If you don't have any surveillance and safety procedures in place, you are susceptible to frivolous liability complaints.'
False return schemes are another type of fraud that tends to impact retailers. People sometimes bring back merchandise from one store to another or they bring back merchandise that has been used. 'I've seen frauds where someone walks into a store and bought three pieces of merchandise, went out to their car and put the merchandise away, and came back into the store and picked the same stuff up and put it in a bag and walked out with it,' Bachman says.
Businesses are often the target of unscrupulous contractors' overcharging, over billing, kick backs, failing to perform contracted work or service, and other actions.
Some vendors you hire may try to scam you by billing for work they never complete. 'I can come into your company to provide carpet cleaning and you give me the alarm code and I come in once a month instead of once a week but bill for providing the service once a week,' Bachman says. 'Of you can short out services or goods because no one is paying attention. You order 50 chairs and I send 45. There are a lot of different ways of doing this.'
A growing number of types of fraud are being perpetrated by electronic means. Hacking, slamming (changing your telephone service without your knowledge), phishing (acquiring user names, passwords, credit card information), identity theft and other forms of business fraud are some of the most difficult to control. More businesses are being held accountable for data breaches perpetrated by third parties, as 45 states, the District of Columbia, and some U.S. territories now have laws on the books requiring companies to notify potential victims if their personal information has been stolen or otherwise compromised.
How to Protect Your Business against Fraud: How to Detect Fraud
Given that fraud against your business can impact the bottom line, it's important to set up procedures to verify adherence to anti-fraud policies and to detect and deter possible business fraud. Lougovskaia says business executives should commit to talking control by developing an enterprise-wide, anti-fraud policy that:
- Verifies that anti-fraud work practices are followed and detects fraudulent activity.
- Develops written procedures that dictate work processes in critical areas.
- Institutes checks and balances and divides key responsibilities.
Below are several ways to deter and detect fraud in your business:
Employee Tips and Reporting
An often overlooked, but excellent way to prevent fraud is to develop an anonymous way for employees to report suspected fraud and work practices that lead to fraud. Businesses that institute anonymous employee reporting detect fraud earlier and significantly limit financial losses. 'You could have an anonymous tip box,' Lougovskaia suggests. If you do opt for a tip box, you should take steps to ensure that the process isn't abused to settle personal grudges. One way would be to appoint one individual to investigate all claims and ensure that anonymity is protected.
Internal Audits and Surprise Audits
Work processes, inventories, and accounting should be subject to regularly scheduled and announced internal audits. In addition, unscheduled -- or surprise -- internal audits also should be conducted. Work processes, inventories, and accounting can be altered in advance of regular audits, but knowing a surprise audit may occur removes temptation and increases the chance for fraud detection.
At a regular interval, external auditors should be employed to review company accounts, contracts, inventory and work processes, Lougovskaia says. Depending on the size of your business and whether it is a publicly-held enterprise, this may be required by law. Thus, it makes sense to set up external audits early in the history of your business so compliance with applicable laws and regulations can be achieved as your business grows.
How to Protect Your Business against Fraud: How to Deter Fraud
There are ways to deter fraud. One of the most important steps a business can take is to create a system of awareness at the top level of management. 'Never think that it can't happen here,' Bachman says. 'Create a level of awareness throughout the organization that we're watching for it. Make it clear in terms of deterrents that, if we catch it, we're going to prosecute, both criminally and civilly.' Civil action may be needed because people who have profited from ill-gotten gains may not have the cash on hand to return – they may have bought items, such as fancy cars or jewelry.
Written procedures are necessary to develop internal consistency and to insure adherence to anti-fraud work practices and policies. At a minimum, the business should take the following steps:
- Hiring practices and background checks. Background checks should be a precondition to employment. The business should secure written permission to conduct such investigations, which should include criminal background investigation, verification of education, right to work, licensure and past employment, Lougovskaia says. A credit check should be performed on employees who will handle cash or inventory.
- Cash and receivables and accounting. A written cash and receivables handling policy should accomplish two goals. It should train employees to spot bad checks, counterfeit currency, and stolen credit cards and insure proper accounting. 'The policy should address possible discipline for cash shortages and failure to strictly follow handling guidelines,' Lougovskaia says. The policy should address the use of customer-provided information and the handling of vital customer data.
- Inventory handling and tracking. A written inventory policy covers sales stock and company equipment. Pilferage is often an 'entry level' criminal enterprise. Contractors and employees engaged in this activity often perceive a weakness in inventory controls as an indication that fraud will not be detected. 'What happens to those items from the time they get off the truck to the time they hit the store shelves?' Lougovskaia says. Put those procedures in writing and give them to employees.
- Contract and invoice reviews and procurement. Regular reviews of accounts payable invoices, purchase orders, and payments can eliminate various types of fraud. It is important for small businesses to be able to verify that contractors have performed the work that they bill for -- before paying the invoice from that contractor. 'You need to outline billing practices with your contractors and require them to itemize billing, including the names of employees involved and listing a quarter hour itemization for each task,' Lougovskaia says. 'You need to provide better oversight and you need to have it in writing.'
- Critical data and corporate information. These days, every business that keeps sensitive data -- whether about customers or employees or the company -- need to have written data handling policies. These policies should spell out who has access to vital information, passwords, account numbers, databases, etc. Document retention policies should include scheduled, mandatory shredding of certain documents containing employee information or corporate data. Use confidentiality agreements and non-compete agreements for key employees.
- Customer returns. Customer returns can be a significant source of fraud. Since most state consumer laws require a posted customer return policy, it makes sense to develop a written return policy that will eliminate fraud risk, Lougovskaia says. Elements of your policy might include that you require returns to take place where the item was purchased, require a receipt, and do not issue cash refunds for credit card or check purchases.
- Visitor/customer injuries. There are ways of deterring fraudulent customer claims of accidents or incidents involving your business property. Retail establishments should consider installing video surveillance systems and having a handheld video camera ready in the event a customer falls on the premises to protect your business. If your business is not a retail establishment, you might consider requiring visitors to sign in and wear clearly identifiable badges. Tracking customer claims of injury via incident reports, and training employees to create reports immediately, cuts down on fraudulent injury claims.
- Internet, e-mail, laptops, cell phones, and storage devices. Clearly defined policies need to establish that Internet access and e-mail remain the property of the business for business purposes. Eliminate all employee access to non-work e-mail and Internet sites, Lougovskaia says. Written guidelines addressing the use of business laptops, cell phones, and storage devices will reduce the possibility of critical corporate and customer data being lost or stolen.
How to Protect Your Business against Fraud: Creating Checks and Balances
Internal controls are one of the great fraud deterrents. Internal controls involve the processes by which a business operates and goals are achieved. In accounting, it refers to the reliability of financial reporting and compliance with laws and regulations. Setting up good controls is important for a business to detect and deter fraud.
'A lot of organizations have an internal audit department, but small organizations can't always afford that luxury,' Bachman says. 'But they do have accountants and other people in charge of keeping track of accounts.' However, small businesses may have some weaknesses in terms of controls, such as putting the same employee in charge of making deposits and reconciling bank statements. Allowing one employee/department to perform multiple critical functions is inconsistent with preventing fraud. By dividing the responsibility of certain functions, a system of checks and balances is created and this creates an environment where fraud is less likely to occur. Lougovskaia says businesses should consider the following examples to establish better checks and balances:
- Separate the person/department writing the checks from the person/department that reconciles the bank statement.
- Do not let the person initiating a purchase order approve the payment regardless of position within the company.
- Separate the functions of creating databases, maintaining databases and using the data. For example, the person responsible for generating payroll checks should not be entering employee data.
- Require separate confirmation and storage of inventory records away from the location of the inventory and rotate responsibility for taking inventory.
- Assign administrative access to the business data, web site, intranets, and email accounts to different individuals.
Implementing a fraud prevention plan requires commitment and also requires the business to provide the right tools and support to its employees. Businesses are better off if they build in deterrents, establish good controls, and provide oversight. It's also important to encourage employees to have a conscientious attitude, says Bachman, such as: 'Our business' survival depends on employees being honest.'
Ten Ways to Prevent Identity Theft from Staples.com
The FBI's List of Common Fraud Schemes:
Understanding and Detecting Fraud by the Department of Justice
The United States Treasury's Financial Crimes Division
The United States Post Office Mail Fraud Unit
PriceWaterhouseCoopers 2009 Global Economic Crime Survey