fraud detection prevention...prevention, both on our website and in our monthly newsletters. this...

Fraud Detection & PreventionA look at minimizing your risk

www.wndecpa.com

INTRODUCTIONDishonesty and unethical business practices are common in the business environment. For example, the Association of Certified Fraud Examiners estimates that a typical organization loses about 5% of its revenues each year to occupational fraud. Accordingly, fraud is an ever-present risk to businesses.

As a service to our clients and our community, WNDE has written and featured a series of articles on fraud detection and prevention, both on our website and in our monthly newsletters. This e-guide is a compilation of those articles and will serve as a comprehensive resource to help business owners identify and prevent fraud in the workplace. Noted below are a list of the subjects that will be covered throughout:

• Red flags that fraud may be occurring at your business

• How to develop a successful fraud prevention program

• Developing a fraud “hotline” that employees can trust

• Basic controls over wire transfers

• Illustration of basic controls over wire transfers

• Controls over Automated Clearing House (ACH) transactions

• Controls over cash registers and cash receipts

• Detection and prevention of purchasing fraud

• Use of “data analytics” to detect or prevent purchasing fraud

• Key controls to prevent inventory fraud.

WNDE | Fraud Detection & Prevention

RED FLAGS THAT FRAUD MAY BE OCCURRING AT YOUR BUSINESSThe Association of Certified Fraud Examiners (ACFE) publishes data on why employees commit fraud. According to the ACFE, employees may commit fraud if three elements are present:

• Motive: The employee has an immediate need for money that cannot be satisfied by legitimate means. For example, the employee may have maxed-out his or her credit cards, borrowed money from relatives and friends and taken out short-term bank loans - and yet is still desperate to obtain additional funds.

• Opportunity: The employee may have access to cash or other assets, and there is a lack of segregation of duties which would otherwise prevent a fraud. For instance, an employee may be in charge of the company’s general ledger, and also be authorized to prepare checks. The employee could prepare a check to a fictitious vendor, forge the check signature, deposit the check in his or her personal bank account, and make entries into the general ledger to cover up the fraud.

• Rationalization: The employee justifies or excuses his or her conduct.

There are certain Red Flags that fraud may have occurred at your business:

1. There may be an unusual or unexplained decrease in cash receipts or increase in cash disbursements.

2. The conduct or personal circumstances of a company officer or employee may cause suspicion, such as:

• A lifestyle that is well beyond what would be expected at his or her compensation level (expensive cars, expensive vacations, etc.)

• Heavy private debts

• A drug addiction, alcohol addiction or gambling addiction problem

• An employee that has grievances against the company.

3. A “whistleblower” may come forward and alert management of an actual or suspected fraud. This person could be an officer, employee, informant, vendor, customer or other outside party. (Note: The Association of Certified Fraud Examiners has published statistics that almost 40% of fraud is discovered by tips.)

If any of these Red Flags are present, the company should consider performing a confidential fraud investigation under the direction of the company’s counsel.


As a result of our firm’s experience in conducting fraud investigations and in assessing fraud risks for our clients, we have concluded that a successful fraud prevention program should include the following five key elements:

• Tone at the Top. Top management must set an example of the highest level of ethics, integrity and honesty. If employees observe high-level officers conducting business in this fashion, such behavior is a strong deterrent to other employees from committing fraud or other unethical behavior. Conversely, unethical behavior by top officers may create an “environment” that encourages employee fraud.

• Codes of Conduct and Ethical Standards. The business or organization should adopt written codes of conduct and ethical standards.

• Fraud Prevention Manual (Manual). The business or organization should have a Fraud Prevention Manual. The Manual should include disciplinary measures for violations, such as dismissal from the job, civil litigation to recover misappropriated funds and/or the referral of fraudulent activity to the District Attorney for criminal prosecution.

• Strong Internal Controls and Procedures. The business or organization must have strong internal control systems and procedures, where there is a proper segregation of duties between the custody of assets and those accounting for such assets, and where there are multiple personnel checking on the propriety of financial transactions.

• Continuous Monitoring of Financial Transactions. There should be continuous monitoring of financial transactions for the possible misappropriation of assets or other improper conduct. In our experience, a successful program involves one or more of the following elements: 1) an internal audit function, 2) the use of fraud “hotlines”, whereby employees, vendors, customers, whistleblowers and/or informants can provide “tips” on suspicious activity, and 3) the use of “data analytics” or “data mining” software to identify unusual trends or transactions in large computer databases.

In order for the program to be successful, high-level officers must “take ownership” of the program, communicate the program to employees via educational meetings or seminars and monitor the program for compliance.

HOW TO DEVELOP A SUCCESSFUL FRAUD PREVENTION PROGRAM


DEVELOPING A FRAUD HOTLINE THAT EMPLOYEES CAN TRUSTWHAT IS AN EMPLOYEE FRAUD “HOTLINE”?

Employee tip hotlines are one of the most effective tools that organizations possess for detecting and preventing fraud. Because tip hotlines encourage and facilitate anonymous reporting, they are a proven fraud deterrent that can be implemented at a reasonable cost. Tip hotlines can be administered in house, or “outsourced” to an independent provider. Tips can be accepted by phone, fax, U.S. Mail, email and web-based systems. Tips must be anonymous and confidential; if there is any risk that an employee’s identity will become known, employees will not support the arrangement.

Noted below are some features of a typical “outsourced” hotline:

• Tips lines are usually available 365 days per year, 7 days per week, and 24 hours per day.

• The outside hotline provider will normally provide “case management” services, to track the case from inception to resolution.

• Many hotline providers make multilingual services available.

• If a matter results in litigation and/or prosecution, the employer can outsource this function, or handle it in house.

KEYS TO DEVELOPING A HOTLINE THAT EMPLOYEES CAN TRUST

Noted below are certain keys to developing a hotline that employees can trust.

• Education and Training: If employees do not understand how the hotline system works, then they are unlikely to make use of the hotline. Thus, employers (or an outside hotline provider) should train employees on the mechanics of the system and how the hotline reporting program works.

• Ongoing Communication: To keep the program in the minds of employees, management should send periodic messages to employees about current developments in company ethics policies, the success of the program, changes in procedures that have been made as a result of information received on the hotline, etc.

• No Management Involvement in Hotline: If employees are reporting issues with company management, they may be hesitant to use a hotline where employees report directly to company officials or other company employees. In this situation, it is usually most effective to use a third-party company to administer the hotline service.

• Quick Responses to Employee Tips: If an employee has witnessed a fraud or some type of wrongdoing, and reports this through a hotline, this can be a very emotional experience. The whistleblower might even be a victim, or might be at risk by coming forward. The concerns of the employee should be immediately addressed in a professional manner, and procedures should be put in place so that they are protected from retaliation.


BASIC CONTROLS OVER WIRE TRANSFERSCompanies and other organizations often fall victim to online “phishing” schemes or phone scams, whereby fraudsters trick officers or employees into disclosing confidential codes or procedures involved with the processing of wire transfers. Noted below are some basic internal controls that will help safeguard wire transfers from fraudulent misappropriation.

GENERAL INTERNAL CONTROL PRINCIPLES

For large-dollar wire transfers that are material to a company’s financial position, the following general principles should be used when establishing controls over wires:

1. The initiation and processing of wire transfers should not be executed solely by automated systems and procedures. There should be human involvement in the process, whereby two or more high-level officers review and approve the transaction.

2. Established internal control procedures for wire transfers should not be circumvented. This will prevent employees from sending wires on an “emergency” basis because of a fraudulent email, text or phone scam.

WIRE AGREEMENTS WITH BANKS AND OTHER FINANCIAL INSTITUTIONS

Banks and other financial institutions usually have standard wire agreements, which include specified procedures for initiating and processing wire transfers, password and encryption controls to be used, which bank and company officials are authorized to execute wires, etc. Company officials should read, and carefully comply with, the terms and conditions of the wire agreement. Also, the wire agreement should be reviewed on an annual basis, and amended if the parties to the wire transfers have changed.

Caveat: If the provisions of the wire agreement are not followed, the bank may not indemnify the company if a fraudulent wire transfer occurs.

SEGREGATION OF DUTIES

Controls will be strengthened if the person, or persons, who initiate wire transfers (i.e., the person that originates the paperwork, inputs the amount of the wire into the cash system, etc.) is separate from the person, or persons, who are authorized to execute (send) the wire transfer.

APPROVAL SIGNATURES

Although computer-generated facsimile signatures may be used by a company, controls will be strengthened if approval signatures are done manually. (This shows that the person has personally reviewed and approved the wire transfer forms.)


ILLUSTRATION OF BASIC CONTROLS OVER WIRE TRANSFERSNoted below is a “conceptual model” as to how wire controls could be established to require personal involvement and approvals by multiple high-level company officials.

Note: The illustration below assumes that these company policies apply to large-dollar wire transfers that could materially affect the company’s financial position. The company may have different controls for small, recurring wire transfers. Also, these control procedures may vary depending on the controls available through the participating banks or financial institutions.

ILLUSTRATION:

Assume that Company X has a banking relationship with Bank A, and that the following controls are in place:

1. Company X has executed a wire agreement with Bank A, setting forth various password and encryption procedures, and other required controls. The wire agreement with the Bank is renewed annually, and sets forth which specific Company officials are authorized to initiate wires and/or execute (send) wires. The agreement also specifies what persons at Bank A can execute the wires. Company officials who are authorized to do wire transfers have personally communicated with the bank officials who will be processing the wires, and recognize the voice of the bank officials that they will be doing business with.

2. On the day that a wire will be executed:

• Mr. Jones, the Assistant Controller of Company X, prepares the wire transfer forms, approves the form using a computer-generated facsimile signature, and submits it to Mr. Smith, the Controller, for approval.

• Mr. Smith manually signs the wire transfer form, and emails a pdf copy of the wire form to Ms. Johnson at Bank A. Ms. Johnson has Mr. Smith’s signature on file and compares the signature for accuracy.

• Mr. Smith also sends an email alert to Mr. Gregory, the President/CEO of Company X, setting forth the nature and dollar amount of the wire.

• Ms. Johnson phones Mr. Smith, and confirms that she has received the wire and the amount of the wire. (Mr. Smith and Ms. Johnson regularly do wire transfers, and they recognize each other’s voice.)

• Before executing the wire, Ms. Johnson sends an email alert to Mr. Gregory, the President/CEO, requesting final approval of the wire. Using special password and encryption controls, Mr. Gregory gives final approval to the wire transaction. If the dollar amount or the nature of the wire transfer is a cause for concern to Mr. Gregory, he can take immediately action to stop the wire before it is sent, and avoid a possible large-dollar loss.


CONTROLS OVER AUTOMATED CLEARING HOUSE (ACH) TRANSACTIONSACH debit transactions include electronic checks or direct debit payments. Noted below is a summary of key controls that need to be in place to prevent fraudulent ACH transactions.

Note: For purposes of the discussion below, the term “company” has been used for the entity initiating an ACH transaction. The term “company” can be used interchangeably with any entity initiating an ACH transaction, such as a government agency, a nonprofit corporation, a partnership, a trust, etc.

HOW THE ACH SYSTEM WORKS FOR VENDOR PAYMENTS

The process is as follows:

1. A vendor preauthorizes the company to initiate a transaction to their bank account. The authorization includes an agreement between the company and the vendor before ACH transactions can take place.

2. The company logs into the website of its bank, and prepares a batch of transactions to be paid through ACH, and that batch is then electronically submitted to the bank.

3. The bank transfers the information to the Federal Reserve Bank’s Automated Clearinghouse Division. The clearinghouse processes the information and deposits the payment(s) into the vendor’s account.

BASIC INTERNAL CONTROLS OVER ACH TRANSACTIONS

Adequate Segregation of Duties:With respect to the ACH cash disbursements of a company, at a minimum, a separation of duties should exist between the following individuals:

• Person(s) in charge of maintaining the vendor master file

• Person(s) who are involved in reviewing, processing and approving a vendor invoice or other disbursement transaction, and

• Person(s) entering ACH transactions online.

Use of ACH Filters:ACH Filters enable account holders to provide their bank with a set of predefined criteria (e.g., designated payees or dollar-amount limits) against which the bank can “filter” ACH debit transactions that do not meet these criteria.

Use of ACH Blocks:ACH Blocks allow account holders to prohibit any ACH debits from being made from specific bank accounts.

Positive Pay for ACH Transactions:Positive pay for ACH enables an account holder to review a list of ACH debit requests that have not been preauthorized, and allow the account holder to decide whether to pay or reject the transaction.

ACH “Account Alerts” from Bank:Many banks make a service available, whereby key officers or officials can receive an email, text or voice-mail message “account alert” from the bank when any large or unusual ACH transactions occurs. These Account Alerts may be tailored to the need of the company. For example, a company officer may wish to receive an Account Alert for any ACH transaction exceeding a defined dollar amount, or when a new ACH vendor is established.

ACH Transaction Alerts from Within the Company:A company may have the ability to monitor ACH transactions within its financial accounting software (such as through the use of SQL database software). Email alerts could be sent to key officials when large or unusual ACH transactions occur within the company’s financial accounting system.


CONTROLS OVER CASH REGISTERS AND CASH RECEIPTSMaterial fraud can occur where employees have access to cash - either via a cash register or other cash transactions not handled through a cash register.

In order to help prevent the theft or misappropriation of cash, noted below are some basic controls over cash registers and/or cash receipts:

• Dual Controls/Approval

• Require that paper receipts be given to customers

• Cashiers should not have authority to “void” or “override” a transaction or approve refunds; these transactions should be approved by management or supervisory personnel

• Cashiers should not operate from one cash drawer

• Unannounced (“surprise”) cash counts should periodically made of cash drawers

• Surveillance cameras and/or spotters should be used where appropriate

• “Management Override Reports” should be reviewed and approved by higher-level officers or officials

• “Trend analysis” and “data analytics” should be used to identify any unusual increases or decreases in cash receipts (i.e., a review of daily, weekly, monthly, quarterly or annual cash trends).


DETECTION AND PREVENTION OF PURCHASING FRAUDTYPES OF PURCHASING AND VENDOR FRAUD

Some common forms of purchasing and vendor fraud are listed below:

• Bribery and corruption (kickbacks, gifts and gratuities to company official and/or employees from contractors and vendors)

• Bid-splitting schemes

• Change order schemes (often involving the tailoring of job specs to a specific vendor, or using vague or general spec in the original bid, which allows for later fraudulent change orders)

• Improper awards to “sole source” vendors (who are not truly sole source)

• Improper use of “emergency” POs (where no real emergency exists)

• Improper use of Open/Blanket POs (to avoid required competitive bidding)

• Contract awards to the “too successful” vendor (an indicator of bribes/kickbacks)

• Improper use of company credit cards

• Improper use of “same day” payment requests (to circumvent regular invoice approval procedures)

KEY CONTROLS TO PREVENT PURCHASING AND VENDOR FRAUD

Noted below are some key controls for preventing purchasing and vendor fraud:

• Proper segregation of the functions of 1) issuing POs, 2) receiving goods or inspecting projects, and 3) approving of invoices.

• Education of all purchasing employees on the statutes, regulations and company procedures governing purchasing and competitive bidding.

• Establishment of a Master Contractor and Vendor Listing that cannot be accessed or changed by persons processing POs and approving invoices. The company should also have in place an ongoing “vendor validation process” that reviews and verifies each vendor’s business name, W-9s, tax identification number, phone number, street address, bank account and personal contact names.

• Use of “data analytics” to identify false vendors, excessive contracts to one vendor, contracts in excess of budget, excessive change orders, etc.

USE OF “DATA ANALYTICS” TO DETECT OR PREVENT PURCHASING FRAUDSpecial computer software is available that can perform “data analytics” on a large computer database of purchasing and vendor transactions, in order to identify unusual or suspicious transactions. Examples of data analytics that could be used to investigate possible purchasing fraud are noted below.

• Review of all vendors with PO Boxes (searching for phony vendors)

• Comparison of all vendor addresses and phone numbers with employee addresses and phone numbers (searching for fictitious vendors set up by employees)

• Listing of all invoices without purchase orders

• Listing of all purchase transactions where the invoice cost is greater that the approved purchase order

• Listing of all revisions to the Vendor Master File

• Listing of all new vendors added to the Vendor Master File

• Listing of invoice payments to vendors not on the Vendor Master File

• Listing of all Purchase Orders over the Entity’s approved limit

• Listing of all payments to one vendor (by date or dollar amount)

• Listing of all vendors with “similar” or “sound alike” names

• Listing of all payments with “duplicate” invoice numbers or same dollar amount (i.e., searching for duplicate payments)

• Listing of employees who approved both the purchase orders and invoices for a transaction


KEY CONTROLS TO PREVENT INVENTORY FRAUDIf controls are not in place to prevent the theft of inventory, companies can experience significant fraud losses. Key controls to prevent theft of inventories are listed below:

Segregation of duties between custody of goods and record keeping for the related inventory

High-dollar inventory stored in locked or secured rooms or cages

Storekeepers who are responsible and accountable for quantities on hand

Inventories stored in an orderly manner, properly labeled or tagged (where accurate counts can be made during periodic physical inventory counts)

Unannounced inventory counts by persons other than the storekeeper

Inventories recorded on the General Ledger; large inventory write downs investigated

Use of spotters or surveillance cameras

Application of the “cost/benefit” principle to each inventory location.


About White Nelson Diehl Evans LLPWhite Nelson Diehl Evans LLP represents over 3,000 businesses and 3,500 individual clients. The firm provides a full range of accounting, tax and advisory services that support some of Southern California’s most successful and entrepreneurial companies, as well as governmental agencies and nonprofit organizations. For more information, visit www.wndecpa.com.

fraud detection prevention...prevention, both on our website and in our monthly newsletters. this...

Documents