© March 2003
Association of Certified Fraud Examiners

Protect Small Business

Small companies without adequate internal controls need CPAs to help them minimize fraud risk.

BY JOSEPH T. WELLS

Denise, a bookkeeper for a small trucking firm in Birmingham, Alabama, wishes she had never heard of Ralph Summerford, CPA. Because of his thoroughness, Denise is facing several years in prison for embezzling $550,000 from her employer. At least she will look good standing before the sentencing judge: Denise spent a great deal of her illegal loot on head-to-toe cosmetic surgery. She blew the rest on a shiny new Lexus, luxury vacations, clothing and jewelry. And, of course, Denise had to have a big house to store all of her finery.

Surprisingly, it wasn't the high living that made her employer suspicious. "The owner was going over the trucking company's budget when he noticed Denise's salary was listed at $38,000 a year," said Summerford. "But the business owner distinctly remembered that he had set her pay at $35,000." The owner pulled Denise's personnel file and discovered that someone had altered her pay record. It was obvious to him that no one but Denise would have been motivated to falsely increase her salary. Investigating further, he noticed suspicious-looking wire transfers from the company's bank account. That's when he called in Summerford.

"Like a lot of small businesses, the trucking company had very limited accounting controls," said the veteran CPA, now a partner with Dixon Odom PLLC in Birmingham, Alabama. "In this case, the sole division of responsibilities concerned authorizing all the checks. While only the owner could sign checks, Denise did everything else: post the books, reconcile the checking account and authorize wire transfers."

Her scheme was simple. After wiring money directly from the company bank account to her own, Denise would post the books, charging the funds transfer to one or more expense accounts. Then, when she reconciled the bank account, she simply would tear up the evidence. Summerford investigated the fraud case, interviewed Denise's coworkers and assembled the documentary evidence including bank statements, wire transfer requests and deposit slips. He then prepared charts and exhibits summarizing the scheme, which he included in a written report to prosecutors. Summerford's work was used to indict Denise for her thefts.

"Denise was well aware the owner did not review the bank statements," said Summerford, also a certified fraud examiner. "And since the business was not audited, there was no independent review of Denise's work; yet almost any degree of scrutiny of the bank statement could have prevented this scheme."

Summerford said most schemes like Denise's start out relatively small. "But when thieves avoid detection, it motivates them to steal even more," he said. "Many will continue to steal from a small business until it literally runs out of money and goes broke."

Although the trucking company didn't go bankrupt, Denise's thefts were extremely costly. Small organizations face a serious fraud problem: Dishonest employees will steal them blind.

BIG CONCERN FOR SMALL BUSINESS

Small businesses have every reason to worry about fraud. According to the Association of Certified Fraud Examiners' (ACFE) "2002 Report to the Nation on Occupational Fraud and Abuse," the per-employee losses from fraud in the smallest businesses are 100 times the amount of their largest counterparts. (The complete report can be downloaded at www.cfenet.com. ) Thus, this is an area in which CPAs can be valuable consultants to their clients. Most small businesses don't have a need for a CPA to do a full audit; however, CPAs can provide a number of fraud prevention services.

• Employee education. CPAs can conduct on-site training for clients in the form of live presentations and/or computer-based education.

• Internal control reviews. Reasonable internal controls are critical in a small business. A CPA can review the existing system and make recommendations for improvements.

• Cash reviews and reconciliations. Since 9 in 10 occupational frauds involve the company's cash, CPAs can regularly review receipts and disbursements for anomalies. Although this is an excellent deterrent, it's important to realize that no CPA can guarantee that any specific procedures will uncover fraud.

• Inventory observations and asset verifications. For companies with inventory or other assets that make attractive misappropriation targets, CPAs can observe inventory procedures and/or verify specific items. Both the 1996 and the 2002 ACFE study showed a similar trend: Small business is very vulnerable to fraud. There appear to be three reasons.

• Inadequate employee prescreening. Small businesses rarely spend the money to check work references, criminal records or professional recommendations of potential hires or require applicants to undergo drug screening, psychological testing and other vetting procedures. Undesirable applicants know this and thus gravitate to small businesses. The problem, according to the study, is that about 7% of employees have a history of workplace theft and fraud. This small but costly group knows the degree of scrutiny into their past likely will be minimal; all too often, they are right.

• Limited controls. The bedrock of fraud prevention is the division of responsibilities between employees. The reason is straightforward enough: It is one thing to steal by yourself but quite another to enlist the aid of a coworker. Small businesses rarely have sufficient personnel to adapt adequate controls; "one-person accounting departments" as in Denise's case are the rule, not the exception. Consequently, it becomes important for the owner to overcome this deficiency with reasonable oversight, which can be accomplished two ways. First, the business owner should actively understand and verify the financial information reported to him or her. Second, the owner can engage a CPA to attest to the credibility of the financial information, even if the company doesn't have a regular audit. However, the audit can be a powerful deterrent in its own right: The ACFE study found losses to companies that had audits were about a third lower than losses at companies that didn't.

• Too much trust. The third factor for large fraud losses in small businesses involves the human element. In a situation where employees know each other well, it is natural for them to trust one another. Indeed, the intimate familial atmosphere of a small business is one of its most appealing features. Most of the time, believing in your coworkers is well founded, but not always. The dichotomy is that trust is an essential element of business as well as an essential element of fraud. Never having faith in your employees is a bad thing; so is always trusting them. The goal is to strike a balance between the two. Or, as Mark Twain said, "Trust everybody, but make sure you cut the cards."

OCCUPATIONAL FRAUD SCHEMES

Small businesses are most vulnerable to two types of fraud from within: asset misappropriation and corruption. Moreover, according to the study, the average length an occupational fraud goes on before discovery is about 18 months. By recognizing the common warning signs or red flags of these schemes early, businesses can reduce or avoid losses. Fraud indicators include: rising expenses and/or declining revenue, abnormally high inventory shrinkage, unfamiliar vendors or other payees and excessive spending by employees. Moreover, studies have shown that employees who engage in workplace abuse (excessive absenteeism, goldbricking, pilfering, for example) are at a higher risk to commit fraud.

Isabel Mercedes Cumming, a prosecutor in Baltimore, is a former internal auditor. "We see a great deal of fraud cases involving workers in small businesses," she says. "Most of them involve employees stealing money or merchandise, and some cases involve hundreds of thousands of dollars. In my view there often is a certain naiveté on the part of small business owners who fail to recognize that employees can and do commit fraud. Many of these offenses could be avoided altogether if the owners were alert to the risk and took reasonable internal control measures. Simply stated, small business owners tend to place too much trust in their employees."

ASSET MISAPPROPRIATION

The definition of asset misappropriation is broader than simply theft; an employee who uses the company computers at night to run his or her own side business has not stolen the computers, but certainly something of value has been. Although a crooked employee can misappropriate any company asset, these schemes can be broken down into two major classifications: cash and noncash.

Cash. As a CPA adviser to a small business, ask this question: "If an employee could steal any asset, which one would it be?" In 9 out of 10 cases, the answer is obvious: cold, hard cash. The reasons are equally apparent. A thief working for a test-tube wholesaler would need to fence the illegal bounty on the black market; a dishonest employee working in the coal mines would need to pilfer tons of the stuff to do any good. But like Denise, everyone spends money. Any enterprise's cash is vulnerable in three areas.

Skimming. Skimming involves a crooked worker stealing money from the business before it is received and recorded by the company. The usual culprits are salespeople and accounting department personnel. They filch money that should be credited to sales or accounts receivable

Larceny. Larceny is the theft of currency after the company has received and recorded it. The employee usually is a cashier or someone with easy access to currency. Because currency is generally closely watched, these schemes are infrequent and relatively inexpensive.

Fraudulent disbursements. The most expensive cash frauds relate to fraudulent disbursements from a company's bank account. Employees in the accounting or bookkeeping department are in a position to cook up these schemes. In a typical case, the employee submits a false invoice the company unknowingly pays to the benefit of the thief. Fraudulent billing most commonly involves services that are not rendered to the company. The employee usually conceals illegal payments by having checks made out to friends, relatives and shell companies. In Denise's case, because of a complete lack of oversight, she didn't even have to bother with phony paperwork

Noncash. Although any other asset of the business is up for grabs, crooked employees usually opt to steal something that is particularly useful to them personally. Consumer goods such as clothing, groceries, electronics and jewelry are favorites. Office supplies and equipment (laptop computers, handheld devices, software and calculators) top the list of hard assets likely to be stolen.

CORRUPTION

A less common but much more expensive occupational fraud involves a corrupt employee who conspires with someone outside of the company. For example, purchasing agents and buyers are constantly barraged with offers of free trips, gifts and other enticements by vendors attempting to curry favor. Sometimes these situations turn into outright graft. However, the victim company actually pays the bribe in the form of higher prices or substandard goods and services that the vendor delivers; widgets costing $100,000—which includes a $20,000 kickback—can be purchased on the open market for $80,000 or less.

PREVENT AND DETECT INTERNAL FRAUDS

In addition to the other methods discussed here, CPAs should advise their small business clients about measures to help prevent and detect internal fraud.

Education. Employees are the eyes and ears of small business; if something is amiss, they likely will know about it before management or the auditors. Their education should concentrate on three areas: why fraud occurs, how to recognize it and what to do if they suspect fraud. The AICPA and the ACFE, as a public service, have jointly produced a free one-hour interactive training program that can be used to educate employees about fraud. CPAs can download it from the AICPA Web site at www.aicpa.org/antifraud/training/homepage.htm.

Active oversight. The company's principals need to learn about schemes, too, to be involved in fraud prevention in their companies. Above all, the owner should receive an unopened bank statement so he or she can review it for suspicious transactions. Moreover, the principals need to ensure they understand the entity's revenue and expense streams so they will be able to notice unusual trends.

Reasonable personnel policies. Employees are much more likely to steal from businesses when they perceive they are being treated unfairly or think the business owner is deceptive. In addition to setting the proper example, owners need to make sure they treat employees well and reasonably compensate them. Otherwise, employees might attempt to right their grievances with not only unproductive behavior, but with fraud and theft, too.

Seek professional assistance. When an enterprise has serious questions about fraud prevention and detection, the CPA should advise the owners or principals to seek professional assistance from a CPA/CFE fraud specialist or from some other qualified expert.

THIEVES OUTSIDE THE DOOR

Although historically occupational frauds have been more expensive than white-collar crimes, the rise in the latter points to an increase in crooked customers, vendors and other outsiders. Small businesses are vulnerable in several key areas.

Check fraud. Since the late 1980s, check frauds have grown markedly. As nearly any merchant can tell you, accepting a forged, stolen or counterfeit check is commonplace. A major cause has been the development of laser printers and desktop printing equipment; the tools necessary to pull off this crime are easily and cheaply available at the neighborhood computer store. Another reason for the rise in both check—and credit card—fraud relates to the current wave of identity fraud. Crooks have discovered that it is relatively easy to get a completely fictitious name and the accompanying identification that is necessary for the scheme's success. With false ID, the ocean of commerce is the fraudster's pearl. He or she can open up bank accounts, obtain credit cards, buy property, incur debt, get passports, open offshore accounts—you name it. The best defense to identity fraud is for small business personnel to know their customers. The second-best defense is to train employees who accept checks to be alert to some common signs.

Credit card fraud. Although small businesses are victims of a wide variety of credit card fraud, most of the schemes can be divided into four types: stolen credit cards; identity fraud, which occurs when the card is issued to a user in someone else's name; altered credit cards, changed by flattening the alpha/numeric characters and reembossing them with different identifying information; and counterfeit cards. While some counterfeits and altered cards are undetectable to the naked eye, many more are crude look-alikes. Employees should be alert to:

Aiding in the success of these schemes is the fact that, according to a study by Money magazine, 95% of U.S. cashiers did not verify credit card signatures by comparing them with those of the customers. Like check frauds, the front line of defense in credit card frauds is employee education, which should include awareness of customer behavior. Employees handling credit cards should know that crooked customers frequently display certain characteristics such as

BUST-OUTS

For small businesses with their own charge accounts, CPAs should alert owners and employees to the risk that some customers will purposely buy huge amounts of merchandise and run up debts they have no intention of paying. This type of fraud is called a "bust-out" and usually is committed by newly established commercial enterprises. These "front" businesses normally start off charging small amounts, paying on or ahead of time in order to establish creditworthiness, and then ordering large quantities of inventory on credit. They subsequently sell the inventory at deep discounts, and the fraudsters avoid payment by one of two methods: They pull up stakes and disappear from sight or they file for bankruptcy.

Robert DiPasquale, a CPA and certified fraud examiner with Videre Group in Parsippany, New Jersey, says bust-outs also can be used to acquire a business. In one case, he was hired to investigate the sale of a family-owned retailer of baby furniture.

"The business had been in the family for generations. When one of the sons inherited it, he decided to sell," said DiPasquale. "The buyer paid a small sum as a down payment with the seller financing the balance. After about a year, the payments to the seller stopped. Ultimately, the seller filed a lawsuit to recover the remaining inventory and other assets, but they were long gone."

As a result of the lawsuit, the buyer of the store filed for both personal and business bankruptcy protection. That turned out to be a mistake when DiPasquale was retained to review the buyer's books and records. DiPasquale was able to assemble evidence that indicated the buyer had purchased the business with the intent of defrauding the seller.

"We found out that immediately after the purchase of the business, the buyer began ordering large quantities of inventory that were later moved off-site and sold at huge discounts. Moreover, the buyer was skimming the store's sales for himself," DiPasquale said. DiPasquale's work resulted in both bankruptcy petitions being overturned. The court ordered the buyer to repay the seller the entire sales price with interest.

To avoid becoming the victim of a bust-out, train employees to:

INTERNET AND COMPUTER FRAUDS

Although the Internet and the computer have been a boon to small businesses, this progress has not come without a price. Computer hacking, viruses and spamming have become ordinary, everyday business events. And according to Sandra Johnigan, a Dallas CPA and chairperson of the AICPA's litigation and dispute resolution subcommittee, small businesses are particularly at risk of computer-facilitated crimes. "Moreover, there is a growing trend of employees' using the company's computer to run their own businesses," Johnigan observed. She said that dishonest employees also might steal their employers' technology, customer lists or other business secrets in order to set up a competing enterprise. CPAs should advise their clients to take adequate security measures to protect the company's secrets, including ensuring that sensitive documents are shredded or otherwise rendered unreadable before they are discarded.

With limited personnel, small businesses frequently must compromise on the division of responsibilities. Nonetheless, to keep employees on the straight and narrow, managers should attempt to assign separate workers to the functions of data entry and asset control. In the simplest terms, an employee who controls records should not control assets and vice versa.

Johnigan said that conducting business on the Internet usually is a safe proposition when accompanied by a few basic security procedures. Last year, the White House released a draft report for small business to be mindful of cybersecurity and to consider five simple steps to reduce risks of fraud.

ADVISE, EDUCATE AND STAY ALERT

Fraud is a cost of doing business that is hidden from view. We know about frauds only when they are discovered, and then it sometimes is too late to do anything to avoid catastrophic losses. The first line of defense is a CPA who advises business owners about fraud prevention and detection techniques. These include hiring the right employees—people with no known history of dishonesty—and treating them fairly. Employers and workers need to learn about fraud and how to report it, and CPAs can greatly assist small businesses by providing such antifraud services. Eliminating fraud completely is not possible, but with reasonable measures, its impact can be limited. Preventing fraud from occurring in the first place, however, is the only win-win situation. •

JOSEPH T. WELLS, CPA, CFE, is founder and chairman of the 29,000 member Association of Certified Fraud Examiners in Austin, Texas, and professor of fraud examination at the University of Texas. Mr. Wells' article, "So That's Why They Call It a Pyramid Scheme" won the Lawler Award for the best article in the JofA in 2000.