A Fraud Punch List

Thanks to Partner, Scott Cosper for sharing this insight:

I hear far too many accounts of fraud from my clients and contacts. Very sadly, most of the cases are very similar and come down to the issue of misplaced trust in the person in charge of the accounting function. I can send you articles of this happening right here in Orange County to some high profile organizations. Most of the time, after the fraud is exposed, the money is gone with no chance of getting it back. Someone who steals usually isn’t someone who saves and invests.

The following bullets comprise of an assortment of things that a business should consider with respect to protecting itself. Buy the way, if you are the person in charge of the books, you need to put forth these items to both protect your company and validate your integrity. By not insisting on controls like these, you are doing a grave disservice to your employer.

  • Dual signature checks – I wouldn’t count on a bank checking the validity of a signature on a check, but theycan easily check to see if there are two. It might not stop a determined forger, but if everyone knows a second party is required to sign all checks on a regular basis, it will tighten up the cash disbursement process.
  • ACH/EFT blocks – If you don’t need to have these electronic payment services for your normal accounting process, see about having them shut down by your bank.
  • A list on the wall – Never, ever, EVER leave a list of your bank accounts out for anyone to see – including credit card numbers. They should be locked up and pass worded if possible or done with enough abbreviation to prevent their appeal to thieves. I’ve been in businesses where a list of accounts was pinned to the wall in the AP cube, the payroll office AND the controller’s office. If these numbers fall into the wrong hands, you will lose. They should not appear anywhere where they are not needed and this includes the title on the accounts in the general ledger.
  • Quality checks and printers – Yes, they can be costly, but I showed a controller one time that I could cleanly lift the payee’s name off of a check with a strip of scotch tape. Also consider the chemically reactive checks; it is very hard to manipulate these documents.
  • Reconcile bank accounts constantly – with access to online banking, you no longer need to wait until the bank statement shows up in the mail. BUT the person doing the reconciliation should not be the one who is also doing the bookkeeping. A second person, or even your tax accountant, who doesn’t have any access to the accounting functions and isn’t a party to the transactions can do it. The fancy word for this is “separation of duties”. Bank reconciliation is a very powerful control for many reasons. If it is not being done consistently, cleanly and easily, something is wrong. If reconciliations are not as current as they can possibly be, there is a process problem. If you ever hear that they are behind, find out why and immediately correct the problem.
  • It is not just paper – Try this; walk through your accounting department after hours and check the desktops, mail boxes, drawers and filing cabinets, printer trays, shred boxes and maybe even the trash. If you find any checks, bank or credit card statements or even payroll records, you’re at risk. They are critical documents and need to be tightly controlled.

Here are a few of my experiences that would have been avoided by having some of the above procedures in place:

  • A receptionist opened mail from the bank which she was clearly told not to do. The next time the bank statement came and the accounting manager reconciled the account (yes, promptly upon receipt of the statement) there were $8,000 of transactions charged to the company by the receptionist – her name even showed on the transactions! She bugged out shortly after we called her on it and the money was gone forever.
  • A client of mine noticed a large unusual check clearing his account. Someone got into his check stock (in an unlocked drawer) and stole a check from the middle of the stack. If he hadn’t been watching his bank account regularly, it could have been weeks, maybe even months before he found out about the fraud. Fortunately, he got his money back from the bank, but it was not a simple process.
  • In another instance, several credit card account numbers had been stolen by cleaning company staff after hours in a branch office. Our employees had copies of company credit card statements lying around pending completion of their expense reports. Sure we got our money back, but all of the cards needed to be re-issued and each of the fraudulent transactions had to be formally addressed in writing by the company.

Hopefully these ideas resonate with you. But above all, if there is not a strong “control environment” in the organization, there is risk – risk that can easily be reduced. Like him or not, when Regan said “trust but verify”, he was offering sage advice.

Share This: