The U.S. Chamber of Commerce estimates that occupational fraud costs U.S. businesses over $50 billion annually and that one-third of business failures are directly related to employee theft. The Chamber also estimates that 75% of all employees have stolen from their employers at least once and half of these employees have stolen repeatedly.
The Association of Certified Fraud Examiners’ (ACFE) “2012 Report to the Nations on Occupational Fraud and Abuse” reports the following statistics on occupational fraud; these are based on a survey conducted by the ACFE of 1,388 fraud cases they investigated between January 2010 and December 2011.
- The median loss per incident is $140,000.
- The frauds lasted eighteen months on average.
- Organizations lose an estimated 5% of their revenue to fraud each year.
- One-third of all frauds occurred in businesses that employed less than 100 people.
- 87% of fraud perpetrators were never previously charged or convicted with a fraud-related offense.
- Approximately 50% of perpetrators had been employed by their company for six or more years.
- Smaller companies incurred larger median loss amounts than larger companies.
- 39% of frauds occurred at private companies, 28% occurred at public companies, 17% occurred at government organizations and 15% occurred at non-profit or other types of organizations.
- Companies in banking and financial services made up the highest percent of fraud cases at almost 17% of total cases studied.
- 36% of the organizations who suffered fraud losses completely lacked internal controls. This number rose to 45% for small companies.
- Anonymous tips (from employees, customers, vendors or others) accounted for 43% of the initial detections of occupational fraud, making it, by far, the most common method of initial detection.
Statistics from the study show that no company is immune to occupational fraud and that the cost of fraud is significant. Companies, both large and small, that do not have good internal controls in place are losses waiting to happen. Companies that already have controls in place need to assess them periodically to assure they continue to minimize the risk of fraud.
Occupational Fraud generally falls into three categories
Asset misappropriation schemes are the most common form of fraud, accounting for 87% of fraud cases, but they also have the lowest amount of loss. This involves the theft or misuse of a company’s resources and includes schemes such as skimming, check tampering, payroll fraud, expense reimbursements and cash register disbursements, among others.
Corruption schemes are where an employee misuses his or her influence in a business transaction in a way that violates his or her duty to the employer in order to gain a direct or indirect benefit. Examples include bribes, kickbacks and bid-rigging, whereby a project bidding process is rigged to favor a particular party.
Financial statement fraud schemes are where an employee(s) intentionally causes a misstatement or omission of material information in the organization’s financial reports. Examples include recording fictitious revenues, understating expenses or artificially inflating reported assets. While financial statement fraud is the most infrequent type of occupational fraud, it is significantly more expensive than the other types of fraud.
The following cases are actual examples of occupational fraud. These companies ranged in size from around twenty employees to over five hundred employees. Their management never thought that they would be a victim of fraud, and therefore, never saw a need to review or assess their internal controls. They all thought that fraud was something that happened to “other companies”.
- A manager at a tire company distributed paychecks to his employees on a weekly basis. In the normal course of business, the manager received the paychecks each week from the payroll service company and then passed them out to employees. After another employee noticed the manager locked his door for a few minutes every time the payroll checks were received, she became suspicious and reported this to her manager. The company ultimately conducted a payroll audit and discovered that several former employees were still receiving paychecks, some of whom had left the company years ago. Through the investigation, the company learned that the perpetrator had the ability to access and edit electronic time keeping records for hourly employees and knew the passwords to the payroll system for department supervisors. He used this access to falsify hours, and thus paychecks, for previous employees. He then took the paychecks to check cashing companies to redeem them. The perpetrator ultimately confessed to over 300 instances of payroll fraud over a seventeen-month period totalling almost $300,000. A lack of proper internal controls was a contributing factor in this case. The company did not observe proper separation of duties, did not regularly monitor payroll records for ghost employees, did not require that employees regularly change system passwords and allowed the manager who passed out checks to accept them from the payroll service company. In addition, the company did not have a fraud hotline for employees to report suspicious behavior, which may have led to earlier reporting of the fraud.
- A 10-year accounting clerk working for a supplier to the automotive industry was in charge of preparing checks for vendor payments. After several years on the job, and added responsibilities, which included the ability to make entries in the company’s general ledger, she began to issue checks to herself and forged the authorized signatures. To conceal the fraud, she recorded the fraudulent checks as Use Tax in the ledger and noted the payee as “Confidential Vendor”. The misappropriation lasted four years and totalled over $215,000. In this case, the company did not have proper segregation of duties and allowed this employee too much responsibility. The company did not have procedures in place to review cancelled checks and verify that the vendor listed in the accounting system matched the vendor on the check. Furthermore, a final review of proper support for all disbursements and a sequential review of checks to assure that all checks were accounted for was not conducted by a manager prior to the checks being issued.
- A newly promoted controller at a printing company was in charge of overseeing all accounting functions and reported directly to the CEO. As part of his responsibilities, the controller was made a signatory for company issued checks. To commit the fraud, the controller established a bank account for a fictitious company and then began issuing company checks to the fictitious vendor. Although one of the company’s controls was to require two signatories on all checks, the second signatory was a subordinate of the controller, and the subordinate employee was directed to sign the checks even though they lacked proper documentation. Rather than setting up a separate vendor account for the fictitious vendor, the controller made the payments under various existing vendor accounts. The fraud was ultimately discovered when one of the customers received a statement showing several payments made by the printing company to the fictitious company under this customer account. The fraud lasted just over a year and cost the company over $115,000. In this case, too much responsibility was given to the controller, the second signatory was a subordinate of the controller, and no formal communication channels existed to report potential fraud. Furthermore, a secondary review by another employee to assure all payments were properly documented was not done.
The above statistics and case studies demonstrate that fraud is not limited to a specific industry, type of company or employee. It is far reaching and impacts all types of organizations, whether large or small, public or private, for profit or non-profit. Furthermore, small companies have to be more vigilant in their efforts to detect and prevent fraud because statistics show that they may be at a higher risk for fraud, primarily due to limited resources required to put proper internal controls in place.
The Committee of Sponsoring Organizations of the Treadway Commission published a report titled “Internal Control – Integrated Framework” which defined internal control as:
A process, affected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations.
- Reliability of financial reporting.
- Compliance with applicable laws and regulations. 
The report describes the first category as addressing an entity’s basic business objectives, including performance and profitability goals and safeguarding of resources. It describes the second as relating to the preparation of reliable published financial statements and the third as dealing with complying with those laws and regulations to which the entity is subject.
In the following paragraphs, we focus on specific control policies and procedures that can be implemented to help an organization safeguard their resources as noted in the first point above. While there is no question the implementation of internal controls can come at a significant cost, there are many simple and inexpensive steps that companies can take to minimize the risk of fraud or aid in early detection. In some cases, the controls may be as simple as a few extra steps within the normal processes or simply re-distributing the duties given to employees and owners.
Several years ago, we re-evaluated our own internal controls and duties so we could continue to remain ahead of the times in an ever-changing business environment where fraud and misappropriation seems to be in the news more and more. At the end of the day, the only cost is a few extra administrative hours per month. The following are some additional procedures that are easy to implement and are hopefully both useful and effective to someone trying to improve internal controls for their firm.
Where is a firm most vulnerable to employee misappropriations? The obvious answer is: the money being received and disbursed through the firm’s bank accounts.
The easiest procedure to implement is “Separation of Duties” when it relates to money being received. While a smaller firm may have a more difficult time with these procedures purely due to numbers, owner involvement in the process and review of accounting information is a good alternative. A larger firm should be able to easily implement internal control procedures. A good place to begin is organizing the firm’s banking responsibilities so that all invoices for services are issued out of one office by a billing person, with all cash collections and deposits being handled by another office. All money being received is sent and deposited in a different office from where invoices are issued or where the bills are paid. Finally, the monthly bank account reconciliation is performed in a third office. While performing the bank reconciliation, part of this process is verifying the checks that have cleared the bank have been posted to the ledger account. If a check does not appear on the ledger, this should be investigated so the amount can be posted and to verify it was not a fraudulent check. With these methods, there is separation between functions, and one person does not handle multiple functions of the cash collection and banking process. On the payable side, one office should handle disbursements and not reconcile the bank accounts.
Most firms have an employee who handles both the payables and wire transfers. A few procedures to implement are: once the wire or check has been setup to be processed, a partner or owner must approve the funds transfer with the bank, insuring the employee is not sending cash to their family or friends through fictitious transactions or false vendors. Another tool the banking industry now offers is a process called “positive pay”, whereby the bank is pre-notified of all checks that are being written so that they will be pre-approved upon presentation. The bank will not honor any check that has not been pre-approved. This not only increases the review of checks employees prepare, it guards the firm against fraud of someone duplicating your checks and trying to clean out your account without you ever realizing until it is too late. For example, an employee or partner makes a check payable to themselves for $100,000 and goes to the bank to cash it; if that check was not provided to the bank and approved by a Partner, it will result in the bank not honoring the check. In our bank’s case, the bank calls the partner in charge of banking and requests authority to honor the check. You may be saying, well the partner with the checkbook can write a check and approve it himself. This is where the partner reconciling the checkbook, who is a different partner (in our instance), may notice something out of the ordinary and asks the question, “What is this?” If the person reconciling the account notices a large check to a vendor that was not a regular or familiar name to them, they should investigate the expense. A few minutes of your time may potentially save substantial money.
A suggestion that takes only a few minutes each month is, when reviewing the bank statement which may have images of each check that cleared, the person who signs the checks always signs in the same spot on the signature line. As you glance at the check copies, if the signature is not in the usual location, it is easy enough to ask some questions.
An area where the insurance industry has expanded in recent years is the “Expert Fee Fund”, where a firm is asked to disburse funds on behalf of insurance carriers and review and pay expert fee invoices for a particular case. As these assignments have increased in quantity, we have worked on implementing ways to prevent theft as employees and partners have the ability to disburse funds, very similar to the attorney Trust Account. Some general protocols for protection of the funds in these types of accounts include:
- Two partners should act as signors; employees should not have check signing privileges.
- Partners need to review all requests for payments, including copies of invoices, etc. to match to the checks written and verify the support is sufficient.
- A partner should reconcile the account versus the employee handling to review for “additional” checks or amounts and check that seem “out of place”. Taking it one step further, a partner not overseeing or signing the checks for disbursements should perform the reconciling function. This is similar to the discussion of above regarding separation of duties.
- A documentation audit should be performed periodically to verify proper substantiation has been received for disbursements.
Realizing “trust” accounts are slightly different, similar procedures may be utilized; as every circumstance and account is different, the above can be used as a guide and modified as appropriate to each account and firm’s requirements.
Another form of fraud which was previously mentioned, are “Ghost Employees”; this is where an employee sets up a fictional employee and includes them in the payroll, most likely with the funds being deposited in an account they control. To prevent this, if your payroll functions are performed by an employee in one office or department, the review of the bi-monthly or weekly payroll register for fictional employees or abnormalities in pay to employees should be performed by a partner in another office. This procedure certainly works where you have 50 employees; however, if there are hundreds of checks being issued and the person reviewing doesn’t know everyone, this task is much harder. In this case, you can certainly still review the payroll register for “odd” or high amounts and investigate.
Perhaps the easiest place for an employee to find some extra compensation is the Expense Account. A couple of procedures that may be helpful with tracking and guaranteeing that expenses are legitimate are as follows. Operate with a corporate American Express card which all partners and employees carry; these are billed to a master account which is paid directly by the firm. This method ensures, as all expenses charged to the credit card have to be accounted for on an expense account, if something is potentially out of place or fraudulent, there are several steps that potentially catch the misappropriation. Each month, all expenses should be reconciled. If an expense is not reported on an expense account, the employee should be questioned and the expense accounted for. Also, on a quarterly basis, review the expenses by scanning the entries and look for any out-of-the-ordinary charges or vendors and investigate. While fraudulent charges may not appear, the extra steps and procedures should be in place for the simple fact that if employees are aware of the procedures, they may think twice before acting.
Many firms have employees utilize their personal credit cards for travel expenses. An example of potential fraud utilizing a credit card not reviewed by the firm is as follows: an employee purchases airfare for a trip and charges $1,000 on their expense account and provides a receipt. After submitting to the firm, the employee cancels that fare and purchases one for $500 and utilizes this for the travel; however they just pocket $500 because there is no way of verifying the expense unless the firm reviews the personal credit card records of the employee, which most likely does not occur. Utilizing a corporate card would prevent this type of fraud from occurring as the company would see the $1,000 credit when the ticket is returned.
There are several additional procedures that can be utilized to perform a “sanity check” on your procedures and duties. A firm can engage an outside professional accountant to interview the employees who handle the above tasks, review the internal controls you have in place and recommend changes to the controls based on your individual business, staff levels, operations and degree of owner involvement. They will be able to provide an outsider’s view and comments on your procedures in place, as well as judge the employee’s responses to questions regarding their duties. Also, a firm can have a partner or owner do a high-level review of the monthly financial statements, checking for anything out of the ordinary.
Remember: a few simple procedures and some extra time can go a long way to ensure a firm does not become a part of the statistics discussed in the opening paragraph or being a victim for the second time.