As a small business owner, you probably question the cost of preventing potential fraud in your organization. It makes perfect sense today to balance the cost of risk mitigation versus just absorbing that risk. However, when it comes to preventing fraud, the potential risks cannot be ignored. One single incident can cost your organization tens of thousands of dollars or more, can destroy employee morale, and can leave a lingering feeling of distrust among your customers and vendors. Taking the steps to protect your business does not have to be cost prohibitive. A simple Fraud Risk Checkup can take the temperature of your business as it relates to vulnerability to fraud. The Fraud Risk Checkup takes about 30 minutes and can provide a snapshot of what areas of your business are ripe for fraud.
The first order of business after Spring Break and St. Patrick’s Day is to email your co-workers about the annual NCAA basketball tournament bracket. Company employees will take five minutes to fill out their bracket, playing for a cash prize or bragging rights, and then spend countless hours during the work day watching basketball streaming on their work computers. This year, as companies are revising their compliance programs to try to ensure a risk-based approach to compliance, the NCAA tournament presents a monumental opportunity. Instead of hiring some costly third party to assist in this effort, the NCAA tournament presents a free way to conduct an internal compliance assessment by creating a compliance risk assessment bracket in the style of the ones used leading up to the Final Four.
Here is an example:
The complexity of your bracket will vary depending upon the size of your operations and type of business. The model above is just a starting point, and you may consider including some non-risk areas for the business just to see how they perform. For instance, if your company is a U.S. business with no foreign operations, include the Foreign Corrupt Practices Act in your bracket to see how far it goes.
You also need some instructions to go with your compliance bracket. These can be modified and adjusted to conform to the company. A good place to start might go something like this (subject to state law governing gambling, company policies, and the like):
- Announce that the company has officially sanctioned an NCAA tournament bracket this year. The employee who wins the tournament will receive a $10,000 cash prize. (Having an official, company-sanctioned tournament will make it harder for that guy in accounting to prey on employees with little knowledge of college sports by encouraging them to pick teams based on the school colors.)
- But here’s the catch: In order to participate in the NCAA tournament bracket this year and be eligible for the $10,000 prize, you also must complete the compliance risk assessment bracket by choosing which compliance areas in your operation/country/business unit pose the greatest risk, generating the Final Four Compliance Risks.
- Completing the compliance bracket entitles you to watch one NCAA tournament game on company time—unless Ole Miss goes undefeated in the first three rounds, then each employee who completes the compliance bracket can watch three games. (Employees will do this anyway, so with this admonition, you can try to limit them to one game instead of watching the entire tournament.)
- You must submit both the compliance bracket and the tournament bracket before the first tournament game begins. You must choose a compliance subject matter and NCAA basketball winner for each bracket. The winner of the NCAA bracket will be decided by multiplying the number of correct predictions of winning teams in each round by a weighting formula for each round (here those accounting guys come in handy). But note that with the compliance bracket there are no right or wrong choices—we are all winners for filling out the compliance bracket and bringing these issues into sharper focus.
The email announcing the twin tourneys should preferably be sent by someone in operations—an executive would be terrific. (Warning: If the email is sent by the chief compliance officer or general counsel, employees will think it’s a trick and not respond)
At the end of the tournament, the CCO will appear to be less of a killjoy for facilitating the tournament—and as a bonus, the underground NCAA tournament (with competing brackets and formulations) will end. Employees will be happier, as will be the chief compliance officer and general counsel, who will know that everyone is more aware of compliance concerns and can help make the company compliance program more effective.
As we are already well into 2013, I look back and reflect upon the experiences that I had in 2012. I think what continues to surprise me the most, is the cavalier attitude that so many organizations have when the subject of fraud is broached. You would think that, with as much media attention that fraud and embezzlement get, businesses, organizations, and those charged with fiduciary duties would “get it”, but in many cases, far too many cases, they do not. I still hear, over and over, “that would never happen to us”. It almost sounds like a cliche to me anymore and I almost come to expect it. I almost want to respond by saying, “what would it take for you to see it differently, somebody stealing hundreds of thousands of dollars from your organization”? In any case, I continue to forge on, preaching the gospel that “fraud happens”. Maybe I should get bumper stickers and t-shirts with that slogan. Now that is a novel idea!
An effective hotline is clearly an important means of detecting fraud. More importantly, it is an effective means of shortening the duration of a fraud. According to the ACFE’s 2010 Report to the Nations on Occupational Fraud and Abuse, more than 40% of frauds are detected via tip-nearly three times more than by any other detection method-and two-thirds of those tips were made through fraud hotlines. In addition, a well publicized and widely supported hotline can also have a preventative effect; thus, by giving all employees a clear and secure way to report any suspected wrongdoing, an effective reporting mechanism can increase the fraudster’s perception that he or she will be caught and might deter him or her from commencing the scheme.
An organization’s control environment sets the moral tone of the organization and includes the integrity, ethical values and competence of the entity’s employees, as well as management’s philosophy and operating style. If the tone set by management is poor; if the owners, executives and managers exhibit less-than-ethical conduct, employees at lower levels in the organization will see that such activities are tolerated and will be more likely to engage in unethical, or even fraudulent conduct. As part of establishing an effective control environment, its is highly recommended that a written code of conduct is in place, which covers all employees, but emphasizes that, while the offical policy should reflect desired conduct, corporate culture will determine what occurs. Consequently, in addition to instituting formal policies covering employee conduct, management must do the following:
- Lead by example
- Verbally communicate the entity’s values and standards to all employees
- Establish and enforce penalties for improper conduct
- Ensure that jobs are staffed by employees with requisite knowledge and skills
- Establish appropriate reporting lines
- Set human resources policies that ensure the organization hires, promotes and supports competent and trustworthy individuals
Because employees are on the frontline to observe suspicious acts by their fellow staff members, employee anti-fraud education is the cornerstone of an effective fraud prevention program. Without training about how fraud hurts the organization and it’s staff, what constitutes fraud, how to identify the red flags of fraud, how to report any suspected wrongdoing, and the consequences of fraudulent actions, many employees might miss; or even willingly turn a blind eye to the warning signs of theft and misconduct. To be most effective, such training should be based on the realities of the organization, rather than on generic anti-fraud messagesthat provide no real applicable value, and should be ongoing with refresher training held at least annually. Additionally, while employees at all levels should be required to participate in the anti-fraud training program, managers and executives should be provided with supplemental training that addresses the added fraud prevention and detection responsibility provided by their positions of authority.
With their high fund-raising activities and performance goals, and volunteers handling money and keeping accounting records, non-profit organizations can be prime targets for fraud. Below are some of the red flags to watch for:
- Budget cutbacks
- High turnover
- Refusal to take legitimate perks
- Overemphasis on short-term fundraising goals
- Poorly monitored supervision and controls
- Bounced checks
- Things don’t add up
- Anonymous tips
- Lifestyle or behavior changes
- Inattention to details
- Failure to conduct background checks on those handling money
- Keeping problems a secret
- Failing to investigate and prosecute offenders
Do you need to size up how vulnerable your company might be to fraud? Ask the following questions!
- IS ONGOING ANTIFRAUD TRAINING PROVIDED TO ALL EMPLOYEES OF THE ORGANIZATION? Y/N
- DO EMPLOYEES UNDERSTAND WHAT CONSTITUTES FRAUD? Y/N
- HAVE THE COSTS OF FRAUD TO THE COMPANY BEEN MADE CLEAR TO EMPLOYEES? Y/N
- HAS A POLICY OF ZERO TOLERANCE FOR FRAUD BEEN COMMUNICATED TO EMPLOYEES THROUGH WORDS AND ACTIONS? Y/N
- IS AN EFFECTIVE FRAUD REPORTING SYSTEM IN PLACE, SUCH AS A THIRD PARTY HOTLINE? Y/N
- HAVE EMPLOYEES BEEN TAUGHT HOW TO COMMUNICATE CONCERNS ABOUT KNOWN OR POTENTIAL WRONGDOING AND WHERE TO SEEK ADVICE WHEN FACED WITH CERTAIN UNETHICAL DECISIONS? Y/N
- DO EMPLOYEES TRUST THAT THEY CAN REPORT SUSPICIOUS ACTIVITY ANONYMOUSLY AND/OR CONFIDENTIALLY AND WITHOUT FEAR OF REPRISAL? Y/N
- HAS IT BEEN MADE CLEAR TO EMPLOYEES THAT REPORTS OF SUSPICIOUS ACTIVITY WILL BE PROMPTLY AND THOROUGHLY EVALUATED? Y/N
- DOES THE ORGANIZATION SEND THE MESSAGE THAT IT ACTIVELY SEEKS OUT FRAUDULENT CONDUCT THROUGH FRAUD RISK ASSESSMENTS? Y/N
- ARE SURPRISE FRAUD AUDITS PERFORMED IN ADDITION TO REGULARLY SCHEDULED FRAUD AUDITS? Y/N
- IS THE MANAGEMENT CLIMATE AND TONE AT THE TOP ONE OF HONESTY AND INTEGRITY? Y/N
- ARE EMPLOYEES SURVEYED TO DETERMINE THE EXTENT TO WHICH THEY BELIEVE THAT MANAGEMENT ACTS WITH HONESTY AND INTEGRITY? Y/N
- HAVE FRAUD PREVENTION GOALS BEEN INCORPORATED INTO THE PERFORMANCE MEASURES AGAINST WHICH MANAGERS ARE EVALUATED? Y/N
- HAS THE ORGANIZATION ESTABLISHED, IMPLEMENTED AND TESTED A PROCESS FOR THE OVERSIGHT OF FRAUD RISKS BY THOSE CHARGED WITH CORPORATE GOVERNANCE? Y/N
- ARE FRAUD RISK ASSESSMENTS PERFORMED TO PROACTIVELY IDENTIFY AND MITIGATE THE ORGANIZATION’S VULNERABILITIES TO INTERNAL AND EXTERNAL FRAUD? Y/N
- ARE THE FOLLOWING ANTIFRAUD CONTROLS IN PLACE AND OPERATING EFFECTIVELY?
- PROPER SEGREGATION OF DUTIES? Y/N
- USE OF AUTHORIZATIONS? Y/N
- PHYSICAL SAFEGUARDS? Y/N
- JOB ROTATION? Y/N
- MANDATORY VACATIONS? Y/N
- DOES THE INTERNAL AUDIT DEPARTMENT HAVE ADEQUATE RESOURCES AND AUTHORITY TO OPERATE EFFECTIVELY AND WITHOUT UNDUE INFLUENCE FROM SENIOR MANAGEMENT? Y/N
- DOES THE HIRING POLICY INCLUDE THE FOLLOWING?
- PAST EMPLOYMENT VERIFICATION AND REFERENCE CHECKS? Y/N
- CRIMINAL, CREDIT AND BACKGROUND CHECKS? Y/N
- DRUG SCREENING? Y/N
- EDUCATION VERIFICATION? Y/N
- ARE EMPLOYEE SUPPORT PROGRAMS IN PLACE TO ASSIST EMPLOYEES STRUGGLING WITH ADDICTION, MENTAL/EMOTIONAL HEALTH, FAMILY OR FINANCIAL PROBLEMS? Y/N
- IS AN OPEN DOOR POLICY IN PLACE THAT ALLOWS EMPLOYEES TO SPEAK FREELY ABOUT PRESSURES, PROVIDING AN OPPORTUNITY TO ALLEVIATE SUCH PRESSURES BEFORE THEY BECOME ACUTE? Y/N
Ever heard the phrase, “knowledge is power?” In most cases, having more knowledge enables us, as human beings, to deal more effectively with situations. That said, I wanted to talk about something that is becoming increasingly important in the fight against employee fraud. Anti-fraud education, or what we at Fraud Investigative Services call it, Fraud Prevention Training. This is a comprehensive, 8 lesson course that teaches the fundamentals of how small businesses are victimized by employee fraud and how they can protect themselves from it. The two major reasons that small businesses are especially vulnerable to employee fraud, are: 1) Organizations with few employees often lack basic accouting controls, and 2) There is a high level of trust that exists in small organizations, therefore, employees and management tend to be less alert to the possibility that fraud may be occurring. Fraud Prevention Training can go a long ways towards increasing the odds that employee fraud will be discovered early on, as employees will be more vigilant and aware of the red flags of fraud.