Critical for Internal Fraud Prevention | Monitor Your Performance Data and Payroll Systems. [Part 2 of 3]

Internal fraud prevention: in depth discussion of data monitoring, ways to identify payroll fraud and insights into who might put your company at risk.
Pete Miller CPA certified fraud examiner

This is Part II of a three part series on preventing internal and external fraud.

In Part I, we learned about new techniques clever thieves from the outside use to access company information to steal your money. I shared a real-life example about how someone stole hundreds of thousands of dollars from a family-owned company. Finally, Certified Fraud Examiner, Pete Miller, CPA, shared just how important “tone at the top” is in preventing fraud.

Next, we’ll look at some:

  • Ways people commit internal fraud.
  • Learn about one of the most effective management techniques to prevent fraud
  • Learn who in your organization is more likely to commit fraud. (Hint: it might not be who you think it is.)

Lauren: We talked about fake vendors and fraudulent expense claims. What are some of the other ways that internal fraud happens?

Pete:  Much like fake vendors, fake employees is kind of the same idea. This would be a little bit more likely with a larger enterprise where not everybody knows everybody. But it could be either a flat out fake employee that’s entered into the payroll system or it could be padding hours with an hourly pay that doesn’t match up with how that person is working. There are a variety of ways to perpetrate a fraud into the payroll system, including providing benefits to folks that aren’t eligible to receive benefits.

I’ve seen even creative things where somebody sets up a fake employee or a secondary employee with their social security number and they set up a paycheck that gives them a hundred percent withholding. It’s a $5,000 paycheck that’s all withheld and sent to the IRS. And you might ask, “Why in the world would a thief do that?” Well, when they get their tax return at the end of the year, they’ve had this massive withholding sitting at the IRS so the thief then gets a big refund when they file their tax return.

Wow! They just use the IRS as their bank. These are such great ideas that I almost don’t want to share them.

I do tend to start my conversations on this topic with the idea that this is not a training course. It’s not a how to; this is how to be mindful of the things that could be going on that you need to watch out for. And that speaks to another prevention mechanism that has started to rise with enhancements in technology and that’s data monitoring. Big data is a big topic everywhere. But it’s a big topic inside of fraud prevention circles as well. Data monitoring is something that, as a prevention technique, continues to be one of the most effective ways to catch fraud. The data isn’t necessarily 100% financial data. That’s certainly helpful.  You can find inconsistencies and irregularities just by looking at financial data alone. It really becomes powerful when you factor in operational data, meaning how many units did we sell last month, how many people do we have on staff, etc.

Data Monitoring: Look for Financial AND Operational Inconsistencies

For example, knowing what your payroll and other numbers should look like so that if they start changing that encourages a deep dive into what’s really going on.

It develops into dashboarding and looking at key performance indicators. But you can really dive into details now in a much more meaningful way because of the enhancements in technology.

Is that typically done by a third party or is that just part of internal review when companies are just looking at their metrics and monthly or weekly financials?

I encourage all our clients to build it into their monthly closing process. We make our way through the closing checklist and we did all the steps that we think we need to do to close the books down. Now let’s go back and take a critical look at things and say, “Is there anything unusual that just doesn’t make sense?”  Or, “Let’s develop a kind of a standard battery of tests that we can apply to the data and see if anything sticks out.”

Every company or organization has a story that is going on about what’s happening inside the company. It could be that we’ve opened a new manufacturing plant or we picked up that great big new customer or we hired 10 more people. There are facts that are operational in nature and there are facts that are financial in nature. You should see financial results that match up with the operational facts. And if you don’t, or if you see things that are wildly different from that story, then you have something to examine more closely. I track the effectiveness of fraud prevention in companies that have a routine of monitoring their data. I look at the relative size of fraud that takes place in companies that do install this type of control versus the relative size of fraud for companies that don’t. It’s not that data monitoring stops a fraud from happening at all, but it catches it a lot sooner. You might have a $50,000 fraud instead of $200,000 fraud. Data monitoring is near the top of the list of effective fraud prevention approaches.

If you’re the boss, you must be able to ask the right questions and have some comfort level reviewing the financial side of things.  You don’t need to become a CPA or an accountant but you need to look at financial statements and the data and ask, “So what’s going on here?” And it’s not only to be able to detect and/or prevent fraud, but to improve your company’s performance.

Or an owner or CEO might be comfortable analyzing their profit and loss statement, showing revenue and expenses. But that whole Balance Sheet statement can be a scary thing.

That’s a vulnerability if the owner really doesn’t have much of a finance background or training or awareness. If the CFO is fraud minded, they’ll exploit that and they’ll be able to explain away certain things in certain ways that the owner or CEO will buy off on. It’s a common issue.

Sometimes companies have someone in their accounting department who, when they started out, was skilled enough for the job. Over time, the company grows and the accounting person doesn’t have the skill set to match the company’s current need.  You have a bookkeeper who’s doing an accountant or controller’s job. And even the owner might only bring in an outside CPA at the end of the year to make the taxes go away. The owner puts an inordinate amount of trust in this long-time employee. It’s not fair to that person who’s in the job. If they are not skilled enough they are going to be prone to mistakes and, even worse, create an opportunity for fraud.

Building infrastructure in the finance department in a growing company is often the last thing that happens.

You used the word trust and that’s a big part of this too. Blind trust is very dangerous, particularly in the finance world. One of the things that’s interesting about internal fraud is the age of the perpetrators. The age of the fraud perpetrator follows a bell curve. It peaks at the late-40’s. Think about the sort of things that are going on in a person’s life in their late 40’s. All kinds of problematic sorts of things could be happening in their personal life. You could have mid-life crisis, kids in college, an ailing parent, a gambling addiction.

Blind trust, Accessiblity and “Tone at the Top”

They could be facing a health crises and huge debt because of it.

You could have all sorts of things. From a job standpoint, that person in their late 40’s, might have been in the same company for a long time. They’ve developed a lot of trust, they’ve risen to a lofty position inside that company. They know where all the vulnerabilities are. It’s not all that surprising that that person would have both the motivation and opportunity to commit a fraud. However, since they’ve been there a long time the owner has a lot of trust in them. But the risk profile of your key people changes and evolves over time. It’s not intuitive, necessarily, but the owner or the CEO needs to be aware of that and alter their strategy a little bit. They need to do a risk assessment on their people which will shift for that person who’s in their late 40’s who has three kids in college, their folks are ailing, and they’ve been having to spend time away from the office. They’ve got a lot of financial needs that could create a potential for fraud. You may need to watch that a little bit better.

It’s not necessarily the person who’s a serial liar or sociopath who will steal you blind. It’s more likely to be somebody you trust, given the right circumstances in their life.

They’ll do the wrong thing in the right circumstances. It could be addiction, it could be debt, it could be who knows what. But they’ll do the wrong thing in the right circumstances. For internal fraud, the statistic is something like 85% of fraud perpetrators are first timers. It’s not the career criminals that are leading the charge on internal fraud.

Some companies do background checks and credit checks on potential hires. But that would not help in your example of the trusted employee with a personal money crisis. to prevent fraud is “Tone at the Top”

Just doing those first checks isn’t enough. For a CFO position, chief accountant or controller, accounting manager, director of finance, VP, whatever the title – if I’m the owner of the business, I’d get their permission to run their credit occasionally.  Does this person have a lot of debt piling up? Are they motivated somehow that way? Do I need to keep an eye on things? What’s going on? So that process needs to be in place.

The other approach, which again speaks to tone at the top, is just managing by walking around. Walk around the office floor every occasionally, have one-on-ones with people, take the time to find out what’s going on with them. Just be that inquisitive, caring person and you’ll learn a lot about what’s going on. For example, it might be: “Oh gosh, I didn’t realize your mom is at the hospital!” or “I didn’t realize Tommy is going off in college, that’s great!”.  Be aware of what’s going on in somebody’s life so that when you’re sitting down every month to look at the data, you’ve got those other little pieces in mind. For example, “Well, I’m seeing margins slip,” or “I’m seeing payroll costs go up. That’s kind of unusual.” At the same time, I just realized that a couple months ago, Mr. CFO had some medical deal that he had to deal with. It gives you a little bit more direction and should raise your eyebrows a little bit.

Listen to Your Gut! Pay Attention to and Act on the Signs

Have you found clients that have been gone through in a fraud experience that, looking back, admit that ignore the warning signs?

Yes. Not all of them, but certainly many look back and say, “With hindsight, I feel like I should’ve known or I should’ve seen these signs or I did but I explained them away, one way or another.” To a certain extent, it’s trusting your gut and following through.

Listen to your gut and be aware of the signals that are coming in.

Have the discipline to follow through. It’s “trust but verify.” It’s the attitude of, “It’s not that I don’t trust you, I wouldn’t be doing my job if I didn’t double-check.”

The average length of an internal fraud incident is 18-24 months. What’s the data on the average amount?

It depends. The relative frequency of internal fraud goes up as you go down the chain of command. The lower level employees, the rank-and- file, are the ones who are perpetrating fraud most often from a frequency standpoint. Mid-level managers are in the middle for fraud occurrences and the owners/executive either don’t do it or don’t to it as often. However, the opposite is true on the dollar amount. So, the rank-and-file employees are doing it more often but getting away with more modest sums of money. It’s around a $100,000 per case in the studies that I follow. It ratchets up from there. The cases with executives are more up around a million dollars, even though it doesn’t happen all that often. But when it does happen, it’s a bigger hit. That’s the part of the risk assessment puzzle that’s important to keep in mind. We can’t just focus on the things that might happen at that million-dollar level because they’re less frequent.

Ten $100,000 thefts is a million!

Exactly!

What’s the impact to the company? What’s the worst you’ve seen in a company hit by fraud? Have they folded?

More often, it’s damaging and it takes time to recover. I’d say that that happens more often but I have seen where they come upon something and the thief doesn’t have the money anymore so there’s no opportunity for restitution. The company is badly wounded. Insurance coverage for something like this is usually capped at about $50,000. If you have a fraud that’s been going on for years and years, it’s easy to see how that could grow above $50,000 dollars. It’s not something that you can necessarily ensure against entirely. It does hurt a lot.

In Part III, we’ll talk with a business owner who was able to stop a check forger before losing thousands of dollars.