Reducing the risk of fraud from both external and internal sources is something that all businesses have to consider at some time, or continually, depending on the owner’s approach and taste for living on the edge. But seriously, fraud is a serious problem that can damage or even destroy a business, particularly small and medium ones, which can’t afford the potential losses.
At the same time, smaller organizations often harbour the belief that they can’t afford to take the measures necessary to prevent fraud. However, the reverse is probably more accurate: organizations that build themselves on a foundation of strong controls will surely find themselves with a better understanding of where their money comes from and goes to, better able to control those streams, and certainly more likely to prevent fraud or catch it in action.
Businesses of all sizes must implement controls and systems to carry out their business activities. Without controls, an organization has no way to know if it is acting efficiently and effectively. It only makes sense to ensure that those controls are appropriate to the tasks of minimizing the risk of fraud, theft and misappropriation. Effective controls encourage employees and third parties to act honestly in their work and interactions with the organization.
But what does that mean in practical terms?
Usually, controls take the form of policies and procedures. Most businesses should be familiar with those. Anti-fraud controls mainly apply to the general area of accounting (purchasing, revenue, payroll, banking and treasury, inventory, assets, etc.), but will involve many specific areas of operations, such as sales, payments, expenses, receivables, travel, suppliers, taxes, promotions and much more.
Jeffrey Sherman offers this basic example in Finance & Accounting PolicyPro:
In a retail environment, controls must be built into the point of sale processes to reduce the risk of losses due to fraud, theft or accounting error. Strong controls over this function ensure that revenues are recorded accurately and that cash, debit and credit card transactions are safeguarded.
Surely, all organizations that sell things can understand this. If you don’t know the details of every transaction, or if the records of your transactions are unreliable, how can you know how much money you have or should have in hand?
No business should operate without purchasing and revenue controls. Payroll and banking controls are equally essential to manage the risk of fraud. Controls over inventory and assets will be crucial for businesses that store goods or own lots of equipment or property.
Revenue policies might cover point-of-sale (per the example above), order processing, sales contracts, refunds, overdue accounts, bad debts, sales taxes, and more. These controls limit exposure to fraud in activities directly associated with selling products or services:
- Comparing business activity to billings
- Processes to control and grant credit
- Controlling the cash receipt and mail opening processes, by using more than one person and by independently comparing a list of cash receipts to bank deposits
- Separating handling of cash receipts from accounting record-keeping
- Following up customer complaints independently of the invoicing function
- Approval processes and support for credit notes, write-offs of bad debt, and other items that reduce revenue or accounts receivable
- Analyzing results by comparing to budget and prior years and investigating unusual trends
Purchasing policies provide guidance and control over major expenditures (other than payroll). They are designed to protect all aspects of the purchases, payables and payments cycle, including expense authorization, company credit cards, travel, purchase orders, suppliers, purchase contracts, receipt of goods and services, cost recognition, and more. Specific controls include:
- Separating responsibility for paying suppliers from purchasing and from maintaining accounting records
- Requiring two signatures on all cheques
- Documenting approvals
- Retaining supporting documentation for all disbursements
- Using an approved budget to control routine disbursements
- Having additional approval procedures for large or unusual disbursements
Payroll policies cover employee records, benefits, salaries, wages, overtime, commissions, bonuses, recognition of costs, management reporting, and more. Controls over payroll are especially important because it is usually among a business’ largest expenses. Moreover, payroll accounting is subject to strict regulation, and poor administration can lead not only to fraud, but to audits and penalties. One important payroll control is separation of payroll processing from payroll accounting. This practice improves scrutiny, which reduces the risk of fraud and makes it easier to detect errors.
Banking and treasury policies cover banking and disbursements, cash forecasting and management, and management of bank loans, debt, investments and other financial assets and liabilities, including financial instruments and derivatives. Naturally, these controls are important because cash is important, but also because well controlled cash usually means well controlled business, and thus limited exposure to errors, fraud, theft and misappropriation. For example:
- Feedback controls, such as cash flow budgets and the bank reconciliation process, detect or measure deviations from expected actions, and allow the business to take corrective measures
- Approval procedures include requiring signatures as evidence of approvals on documents that support the issuance of cheques, and requiring that all cheques be signed by two signing officers
- Structural and organizational controls include division of duties so that cheque requisition, cheque preparation and bank reconciliation and review are duties performed by different individuals
Consider, when a single employee is responsible for processing cash receipts, refunds and other cash transactions, that person is in a perfect position to alter records undetected and defraud the company. Sherman notes that, “One of the simplest ways of embezzling from a business is to steal the payments received from customers, and then conceal the fraud by altering the accounting records.” On the other hand, making different individuals responsible for receiving and processing cash receipts places a barrier between the functions, which limits any single employee’s ability to alter records and embezzle funds.
Finally, inventory and costing policies provide protection over raw materials, work in progress, finished goods, inventory counts, record-keeping, costing, reporting, security, and more. Checks and balances in these areas will prevent or limit the risk of employees, suppliers and customers stealing goods.
Insurance might also offer some protection against fraud—after the fact—and businesses should certainly consider it among their fraud risk management strategies. The stronger portion of the strategy should be prevention, as this will not only reduce the risk of fraud, but it should also improve general business practices. Any strategy should look at fraud risk from prevention to reduction to indemnification. That might mean a bit more work in the beginning, but if done right, it should mean things run a lot smoother in the future.
Adam Gorley
First Reference Internal Controls, Human Resources and Compliance Editor