This article was written by Courtney Handy, CPA, CFE, Manager, Bonadio Strategic Advisory
Congratulations, your business has survived the pandemic! And if your business can survive that, it can survive anything, right? Well, think again…
Up until this point, you may have only had to rely on family members, close friends and/or long-tenured employees you’ve come to trust to perform or oversee critical areas within your small business. But as your business continues to grow, and people retire, move on, or shift responsibilities, you will inevitably need to hire new people. With new employees, comes a fresh perspective and an opportunity to enhance processes. It also comes with an entirely new level of risk, and if you’re unprepared, you could be exposing yourself and your business you’ve worked so hard to build to numerous opportunities for fraud and error. According to the most comprehensive study of occupational fraud and abuse to date published in 2018 by the Association of Certified Fraud Examiners, the median loss per fraud scheme for small businesses, as defined by fewer than 100 employees, is $200k. And approximately 42% of this fraud was caused by a lack of internal controls. Below, we highlight five simple, but critical elements you should consider as your small business grows to prevent fraud schemes from devastating your business.
1. Vendor File Management
The significance of adequate controls over vendor management is crucial and should never be overlooked. Vendor file management includes, among other things, the process to approve, set up and modify vendors in your ERP or accounting software. If you don’t have adequate access and review controls in place, as well as segregation of duties, an employee may add themselves (or a fictitious entity) to the system and ultimately process a payment. You should evaluate the controls you currently have in place and review, approve, and add new vendors to the system. You should also get in the habit of periodically reviewing and verifying the accuracy of critical vendor information, such as address and payment terms, deleting duplicate vendors and deactivating vendors that you have not conducted business within in the past 12 – 18 months. In conjunction with this periodic review, you should also ensure you have the most recent W-9, and any other required documents on file. Performing these steps will not only help prevent duplicate and inaccurate payments from being processed but will also increase the likelihood of you identifying and removing any questionable vendors from the system.
2. Review of Credit Card Statements
Who doesn’t love a credit card? They’re now widely accepted almost everywhere, can be used in lieu of cash when money is tight, and they provide countless rewards. You can even set them to auto-pay so there’s one less thing you have to remember to do each month, but do you consistently review statements and receipts before payment is made? It is not uncommon for company owners to issue company-paid credit cards to trusted employees, such as an Accounting Manager or a CFO with little to no direct oversight. Many business owners fail to establish or communicate credit card limitations and instead, assume these folks use them within reason for business related expenses only. To prevent employees, new or tenured, from misusing or overspending your hard-earned cash, be sure you establish a formal and documented credit card policy that clarifies the terms and limitations of the card. All credit card statements should be mailed directly to you, and you should review them and the receipts, to ensure expenses are reasonable and that you have a solid handle on the type and volume of credit card purchases.
3. Access to Accounting Software Functions
Does your accounting software have the capacity to process, accept and release payments via ACH? While many businesses still pay vendors via the traditional method of paper check, the ability to issue payments electronically may already exist in the software. You may not be equipped or willing to implement this method of payment within the foreseeable future, but as your business continues to grow and you rethink how you can use your resources most efficiently, you may eventually automate this critical function.
To ensure that everyone’s access to your accounting software is appropriate and no one can transfer or release a payment without a secondary level of review and approval, you should review your system’s user access report and limit user permissions on an annual basis. As a standard best practice, you should sign, date, and retain these reports as evidence of review.
4. Review of Bank Statements
Often, we see business owners grant a certain level of bank account permissions to finance personnel. Owners are simply too busy running their business to handle all banking-related responsibilities, such as initiating and approving account transfers, approving one-off wires and ACHs and depositing customer payments. Furthermore, finance personnel need online access to view transaction activity and bank balances in real-time to confirm they have enough cash to cover payroll or this week’s check run, or to simply follow up on a vendor or customer inquiry. Restricting this level of access would inevitably create additional inefficiencies and potentially disrupt customer service. But are there limits on transaction amounts or types that cannot be processed without your approval? If you have delegated most, if not all banking related responsibilities to someone else, you should be regularly reviewing bank statements, check images and banking activity to ensure illicit transactions (or erroneous disbursements) aren’t occurring. Do you have a process in place to compare the number of services performed, or goods provided in the prior month to the amount invoiced and deposited? If not, how can you be certain that customer payments have all been accounted for. And as your business grows, changes and/or staff turnover, it is also crucial that you understand how operational decisions, and potentially seasonal business, directly impact the company’s overall cash position. For example, do you reserve a portion of excess cash, or do you invest it? Do you have an established dollar threshold to trigger this or is it at the discretion of someone else? As you can see, the benefits of performing a detailed review of your bank statements are endless and getting in the habit of consistently doing so will help you spot questionable transactions, identify unaccounted for customer payments, note unexpected fluctuations, and help you make informative short and long-term business decisions.
5. Review of Payroll
Regardless of how your employees record and submit their time, how payroll is processed and how you handle direct deposit, labor is often businesses’ largest expense and most overlooked threat. To complicate this process even more, the COVID-19 pandemic has more than likely influenced your ability to find and retain help. To keep up with demand, many staff are working at an unprecedented rate of OT with little to no oversight from business owners. You may also be relying on just one person, instead of several, to carry out critical payroll processes. Below, we identify the most common payroll fraud schemes and highlight the ways you can avoid this type of fraud:
- Ghost employees. This refers to someone on the payroll who does not actually work for your business. The very first step in this scheme is someone with access to the payroll records must add a fictious employee or fail to remove a terminated employee’s name. While you should always restrict access to these records to only specific employees, we also recommend you perform a periodic review of payroll records. For every employee on your payroll, you should verify against personnel records.
- Falsified hours: The second most common method of misappropriating funds from payroll is the overpayment of wages for time not worked. When hours are recorded manually on a timecard, an employee fills it out and submits it to a supervisor for approval. In more sophisticated systems, computers track the time employees spend on the job based on login codes. If you’re using the latter, we always recommend removing the employee’s ability to adjust their own time. Most payroll frauds in this area stem from manually prepared timecards so if you haven’t thought about automating this process, you probably should.
- OT authorization: Can employees work unlimited overtime without prior authorization? Do you have a current OT policy that has been communicated and is readily accessible to employees? Now more ever, having a documented policy with clear and concise guidelines is critical to reduce overtime abuse. In addition, we recommend that you scan monthly time reports and question and look-into excessive outliers by reviewing shift schedules and client documents and by speaking to supervisors.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.