In Parts I and Part II of our fraud series, we learned some of the techniques increasingly sophisticated thieves use to steal from companies just like yours. In Part III, Certified Fraud Examiner, Pete Miller, of Clark Nubar shares how to minimize the chances that someone will commit fraud.
Odds of a Perpetrator Being Prosecuted…
Lauren: Let’s say we catch the perpetrator. What happens to these people? Arrest? Conviction? Imprisonment? Or do are they just fired and kicked down the road to the next unsuspecting employer?
Pete: In my experience, it rarely goes as far as a criminal case and jail time. If anything, it turns into a civil case which doesn’t carry the same weight. It’s not criminal so you’re not going to jail. You’ll have restitution and things of that nature which, again, if the money’s there, great. If not, that restitution turns into withholding from their paycheck where they pay for it for the next 40 years. You get resolution from a very, very painful small stream of payments. It’s up to a judge and jury to determine if somebody’s committed fraud. The reality is that for a $100,000 fraud case, the chances of getting the attention of a prosecutor who has larger cases involving violent crimes is just too small to make its way up the priority ladder.
So even if you were doing background checks on people, it’s more likely nothing would show up because they have no prior convictions.
Chances are, the employers are not going to disclose certain things like that for fear of slander and things like that. It can fly under the radar. Background checks can help you keep out the serial thieves. It’s not fool-proof.
So, besides a good tone at the top, inquiry into and knowledge of what’s happening with your employees, looking at data on a disciplined basis and acting on it, and doing credit checks on key employees involved with money, what else can an owner do? Talk to me about Fraud Hotlines.
It’s good to have common checks and balances in place. What accountants and auditors do are typical internal controls; balancing a checkbook, secondary reviews, things of that nature. All of that is good but the purpose of those things is to catch mistakes as opposed to fraud.
Chances are if something like that’s going on, somebody knows about it but they don’t feel comfortable disclosing it for fear of retribution or retaliation. Having an anonymous outlet for employees to report suspected fraud is key. An example is 24/7, 1-800 fraud hotline or website that employees can report to. It’s proven that the size of the fraud drops if you’ve got a hotline.
These are third party companies that run a hotline that a company could subscribe to?
Yes, they subscribe to one of these hotlines monthly. Let’s say a company had such a hotline. If they had an employee who was aware of a fraud incident, that employee could call the hotline, and then the hotline company would call the designated contact person and/or boss and report the incidence. The contact person could be the CEO, the chair of the audit committee, or someone in HR. You should have two people listed as contacts.
Because otherwise it could go just go back to the person committing the fraud!
Yes. You should have two people, for sure. Generally, the hotline company is not going to do any investigations. That’s up to the client company to decide what to do.
A hotline is a quite effective at catching those ongoing frauds. As I talk to my clients about this they say, “Well, gosh, I don’t know, I’m a little worried that if I put in one of those things, then I’m just going to be chasing false positives all the time, or I’ll get dramas like, ‘Suzy ate my yogurt. It was in the fridge’ and I don’t want to deal with that!”
Surveys and statistics show that you can count on a hotline generating one or two calls a year for every hundred employees. It’s a modest amount of time that’s worth your while if even if you go five years or 10 years without anything going on. The amount of time that you might have chasing any false positives is worth it to catch something that’s real.
Is the fee for that type of service dependent on the size of the company?
Yes. It just depends on how robust a system you want. For instance, we host a hotline on clarknuber.com. We’re on the low-end of things at $500 a year. More expensive services will have more robust reporting and so on and will cost more money.
Also, just because you don’t have the budget or the need necessarily for a formal internal audit department, doesn’t mean you can’t do the same thing on a spot check basis. You just decide, “Well, this month I’m going to dive into the inventory cycle and see what the purchasing behavior looks like and who are the vendors are. Then maybe next month, I’ll jump into the general accounts payable cycle. You can kind of bounce around. It keeps people on their toes, which is good.
The “perception of detection” is a phrase that I use. That whole rotational process I described means that you never know what the boss is going to focus on this month. It could be my area. So, that alone can deter somebody from committing a fraud because there’s a chance that they’re going to be looking my way. Doing that, even for the sake of scaring folks into submission, is worth it. I’ve heard stories of CFOs that will angrily walk their way to the accounting department and say, “How in the world did this check make its way through without someone giving an approval for it?” and make a scene about something that is completely minor and not really all that important. They do it for the sake of establishing that attitude and that trust but verify kind of a thing.
This kind of culture makes it that much more comfortable for a rank-in-file employee who sees something to bring it up to you and say, “You know we talked about this thing last time and I just want to run something by you. I saw this the other day and I wasn’t sure what was going on and I wanted you to know.” Without that type of climate in place, that employee might think, “Oh gosh, I don’t know. This is going to be a big of a deal. I don’t want to be a ratting somebody out.”
Risk Assessment – Not Just For Fraud
What are some other resources to prevent fraud?
The hotline is a great one. Training. There’s training that that’s led by you or it outsourced to other folks or a combination. That’s a helpful part to build into this. I’ve mentioned the phrase risk assessment a couple of times. That’s typically a process that a third party comes in to facilitate. It’s not entirely internal. Doing a risk assessment is important for so many reasons. It’s usually more of an enterprise-wide assessment.
You’re looking at all sorts all sorts of risk and not just risk related to fraud.
For example, you and your team ask: “To do business in this geography, what sorts of things could come up that will result in reputational damage?” All sorts of risks are out there. A driver may make a poor choice and have some catastrophe take place in the road. You identify all the potential risks. And fraud is certainly part of that. Once you’ve gone through and identified the risks, you score them and put it on a heat map, rank them by a combination of the likelihood risk happening and the impact if it did happen.
One axis on this chart measures the likelihood of risk occurrence and the other axis measures the impact of the effect if it did. You’d want to zone in on things that land in that upper right-hand quadrant of high-risk/high-magnitude.
Upper right quadrant, that’s what you want to focus on first.
And who does these risk assessments?
There are all kinds of consultants that do these sorts of things. We certainly do. It starts out with a lot of interviewing and a lot of analysis and those sorts of things. The conclusions could be fairly wide. There could be a potential risk identified and we insert an internal control or some process that mitigates that risk. There might risks that we’re willing to accept. While it’s good to know that they exist, we’re not going to do anything and that’s okay. It could be that you’ve shared the risk or transferred it, or you insure against it. You buy an insurance policy for cybersecurity, for instance, or some other insurance policy, and that’s the way you mitigate things. It’s a good idea to have a risk assessment done from time to time.
Once a year? Once every couple of years?
Think about how often you reboot your strategic plan. It’s a 5-10-year cycle. The formal enterprise-wide risk assessment is a longer time horizon. What I find is that the notion of doing risk assessments on a smaller scale is something that catches on. You wash, rinse, and repeat the entire process. You identify the risks associated with that narrow issue and then figure out, “Okay, how do we mitigate these somehow? What do we accept?” The go-no-go decision happens at that point.
Anything I should have asked that I didn’t?
Pete: I don’t think so. It’s been a good conversation!
Next up, how quick action by one business owner helped minimize the impact when outside thieves targeted his company.