An unpleasant fact of business is that some customers shoplift, some vendors and suppliers overcharge and short-count on deliveries, some employees embezzle or steal assets, and some managers commit fraud against the business or take personal advantage of their position of authority in the business. None of this is news to you probably. But you may think your business is exempt from these risks; you feel that all your employees are honest and everyone you deal with is honest. If this is your attitude, I’d like to talk with you about “buying a bridge in Brooklyn“.
A small medium business particularly is a natural target for fraudulent schemes, scams, employee embezzlement, pilferage, worker crime, and theft. Even a relatively small business handles a lot of money, holds valuable assets, and deals with a lot of people — a perfect mix for bad things to happen. To protect against these threats, a small business should put into place and vigorously enforce internal controls. Various precautions are established to prevent, or at least to minimize losses from all types of dishonesty against the business from within and without. Big business understands the critical importance of internal controls. You’re preaching to the choir here. In contrast many small businesses are careless regarding internal controls, which is like “leaving money on the counter for the taking!”
A small business has a large repertoire of internal controls to choose from. I would remind you that this post is directed to small- to medium business owner and managers, not to accountants. Therefore, I don’t delve into the details of internal accounting controls. Rather, I would offer easy—to—understand—for—easy—implementation guideposts for managing internal controls that apply to most small medium businesses.
Are Small Medium Business Too Small For Effective Internal Controls?
The lament of many small business owners/managers is, “We’re too small for internal controls”. This complaint isn’t true! Even a relatively small business can enforce certain internal controls that are very effective. Among these are the following:
- The owner/manager should sign all checks, including payroll checks. This practice forces the owner/manager to keep a close watch on the expenditures of the business. Under no conditions should an accountant, a bookkeeper, or the Controller of the business be given check-signing authority. This person can easily conceal fraud if he or she has check-writing authority.
- In high-risk areas (generally cash receipts and disbursements, receivables, and inventory), require that employees working in these operating areas take vacations. Furthermore, make sure that another employee carries out their duties while there’re on vacation. By doing the same job, the fill-in employee serves as a check on whether the regular employee is doing things correctly and according to the rules.
- Although separation of duties on a full-time basis may not be practical, consider the job-sharing approach. In job sharing, two or more employees are regularly assigned to one area of the business on alternate weeks or some other schedule. Each employee acts as a check on the other so that both use established methods and procedures. When a second employee shares the job, embezzlement is more difficult to conceal, unless the two persons collude.
- Without violating their privacy, keep watch on the lifestyles of your employees. If your bookkeeper buys a new Mercedes every year and frequently is off to Monte Carlo, you may ask where the money is coming from. You know the salaries of your employees, so you should be able to estimate what sort of lifestyles they can afford.
Understanding the Psychology of Fraudsters
An easy and quick answer to why people commit fraud is for the money. However, this answer doesn’t always get to the root causes why people commit fraud. How do they rationalize stealing money? Do they not think it’s stealing? Do they need the money that bad? Don’t they see the risks of getting caught? Don’t they see the shame and dishonor getting caught will bring down on their family and their good name? Well, for one thing, many people seem to think that business is a fair target because businesses rip them off every day. Or, they may do it to get back at the owner of a business.
How do people that commit fraud rationalize or justify their actions in their minds? Fraud usually involves a variety of financial, personal, emotional, and other factors that can push even the most honest, hard-working person over the limit. Fraud driven by the need to survive probably is more commonplace and represents a much greater risk to the average business than fraud driven by greed alone. For example, we know of cases where a business owner went way over the line. The business owner viewed his company as a part of his family. The owner was willing do anything to ensure the survival of the business, which would be his legacy to his family.
Businesses should know that its employees and managers will sometimes have problems paying their bills on time, to say nothing about all the other financial pressures caused by divorce, health problems, medical emergencies, college-bound kids, drug addiction, and on and on. You can make a good argument that business is responsible for have good internal controls that prevent its employees and managers from committing fraud. Indeed, you can make a good case that a business has a social responsibility for exercising good internal controls.
Identify High-Risk Areas
Strong and tight controls are needed in high-risk areas. Managers should identify which areas of the business are the most vulnerable to fraud and theft. The most likely fraud points in a business usually include the following areas (some businesses have other high-risk areas, of course):
- Cash receipts and disbursements
- Payroll (including workers’ compensation insurance fraud)
- Customer credit and collections, and writing off bad debts
- Purchasing and storage of inventory
Without doubt, cash collections and cash disbursements are the highest risk areas for most businesses. The small business should make sure that all checks mailed to the business and cash collected at the point of sale is recorded in its cash account. For this reason, many small business owners/managers open their mail each day and count the money in their cash registers at the end of each day. They make deposits in their bank accounts themselves. You may or not have time to take this action. If you don’t, it’s best to have someone other than your Controller take on this responsibility — someone who does not have access to the cash register.
The person opening the mail that includes cash collections from customers and the person counting money in cash registers should not be the accountant who records the entries in your cash account. Assign someone other than an accountant (or bookkeeper) the responsibility for opening the mail and counting cash in the sales registers.
On the other hand, the accountant is generally given the responsibility for preparing the required forms and paperwork that are presented to managers for payment approval. But the accountant should not be given the authority to sign checks, and someone other than the accountant should mail checks. You can’t be too careful about cash collections and disbursements.
Consider Legal Considerations
Pay careful attention to the legal aspects of internal controls and enforcing the controls. For example, controls shouldn’t violate the privacy rights of employees or customers. Needless to say, a business should be very careful in making accusations against an employee suspected of fraud. At the other extreme, the absence of basic controls possibly can expose a manager to legal responsibility on grounds of reckless disregard for protecting the company’s assets. A legal opinion may be needed on your internal controls, just to be safe.
Separate the Duties of Employees with An Eye On Internal Control
Where practical, two or more employees should be involved in the authorization, documentation, execution, and recording of transactions — especially in the high-risk areas. The idea behind this separation of duties is to force collusion of two or more persons to carry out and conceal a fraud. For example, two or more signatures should be required on checks over a certain amount. For another example, the employee preparing the receiving reports for goods and materials delivered to the company should not have any authority for issuing a purchase order and should not make the accounting entries for purchases. Instead of the concentration of duties in the hands of one person, duties should be divided among two or more employees, even if some loss of efficiency occurs.
Make Surprise Audits And Inspections
Make use of surprise counts, inspections, and reconciliations that employees can’t anticipate or plan for. Of course, the persons doing these surprise audits should be independent of the employees who have responsibility for complying with the internal controls. For example, a surprise count and inspection of products held in inventory may reveal missing products, unrecorded breakage and damage, products stored in the wrong locations, mislabeled products, or other problems. Such problems tend to get overlooked by busy employees. More important, the inventory errors may be evidence of fraud or theft. Many of these errors should be recorded as inventory losses, but may not be found out unless you order surprise audits. It may look sneaky, but surprise audits and inspections are very useful.
Encourage Whistle Blowing
Encourage ell employees to report suspicions of fraud by anyone in the business (which has to be done anonymously, in most situations). Admittedly, this tactic is tricky. You’re asking people to be whistleblowers. Employees may not trust management; they may fear that they will face retaliation instead of being rewarded for revealing fraud. Employees generally don’t like being spies on each other, but on the other hand, they want the business to take action against any employees who are committing fraud. Employees will not blow the whistle unless they’re convinced that they’ll remain anonymous and unidentified. So, you must come up with some way to make sure that a report of suspicious activity can’t be traced to its source. One possibility is to use a third party who your employees trust. The third party would pass along the message and provide a barrier to anyone’s attempt to identify the whistleblower.
Leave Audit Trails
Insist that good audit trails be created for all transactions. The documentation and recording of transactions should leave a clear path that can be followed back to source documents. Supporting documents should be organized in good order and should be retained for a reasonable period of time.
The IRS publishes recommended guidelines for records retention, which are a good point of reference for a business; have your accountant go to . In particular, your accountant should look in Publication 583, Starting a Business and Keeping Records.
Limit Access To Accounting Records And End-Of-Year Entries
Access to all accounting records should be strictly limited to accounting personnel, and no one other than the accounting staff should be allowed to make entries or changes in the accounting records of the business. Also, managers are well advised to keep a close eye on end-of-year accounting entries to close the books for the period. Managers provide critical information for these entries, which may have a large effect on the amount of profit recorded for the period. (Providing the information to their accountants for these entries provides the managers with the opportunity to massage the financial statement numbers).
Perform New Employee Background Checks
Thorough background checks should be made on all employee applicants, especially those that will handle money and work in the high-risk fraud areas of the business. Letters of reference from previous employers may not be enough. A business may have to consider more extensive background and character checks when hiring managers. Studies have found that many applicants falsify their resumes and list college degrees that they, in fact, have not earned. Databases are available to check on a person’s credit history, and his or her driving record, criminal record, workers’ compensation insurance claims, and life insurance rejection record. The problem is locating the various databases, judging how reliable and up-to-date they are, and knowing how to interpret the information in the database. In most cases, you probably should consider hiring a private firm, such as a private investigator, that specializes in background checks on job applicants.
Order Periodic Audits Of Your Internal Controls
Consider having an independent assessment done on your internal controls, by a CPA or other professional fraud specialist. This audit may reveal that critical controls are missing or, conversely, that you’re wasting money on ineffectual controls. If your business has an annual financial statement audit, the CPA evaluates and tests your business’s internal controls. But, you may need a more extensive and critical evaluation of your internal controls that looks beyond just the accounting oriented controls.
Do Regular Appraisals Of Key Assets
You should schedule regular checkups of your business’s key assets—receivables, inventory, and fixed assets. Over time, these assets develop problems that aren’t dealt with in the bustle and day-to-day pressures on managers and other employees. Receivables may include seriously past due balances, but these customers’ credit may not yet have been suspended, so business would be throwing good money after bad. Some products in inventory may not have had a sale in months. Some items in fixed assets may have been abandoned or sold off for scrap value, yet the assets are still on the books and are being depreciated.
Insist On Internal Control Information With Your Accounting Reports
All too often we have found that small managers do not ask their accountants to include internal control information with their regular P&L and other financial reports. If inventory shrinkage is a problem in your business, for example, insist on regular reports on inventory shrinkage every period. Don’t let your Controller bury this information out of sight in your P&L. Suppose that your business makes a lot of cash sales. You should get information on abnormal discrepancies between daily sales and the cash counts at the end of each day. The type of internal control information you need depends on the particular characteristics of your business. For example, sales returns may be a significant factor in a retail clothing business. So, sales return information should be in your P&L reports. For auto dealers, in contrast, sales returns aren’t a problem. They’re more concerned with warranty work done after the sale.
You should sit down with your Controller and explain the types of internal control information you want in your regular accounting and flash reports. This two-way discussion can give your Controller a better understanding of the business and how you operate. Encourage your Controller to make suggestions about possible internal control problems. Maybe you should send your Controller to a workshop on fraud in the small business.
Remember that your P&L and balance sheet may not recognize unrecorded losses from fraud and theft.
Finally, keep in mind that there’s a chance that your business has suffered a loss from undiscovered fraud, which therefore hasn’t been recorded and reported in your P&L and balance sheet. The threat of an unrecorded loss from fraud hangs over your financial statements. Good internal controls reduce this threat to a minimum. You don’t want to suffer losses from fraud and theft, of course. But when fraud has happened, you need to record the loss as soon as possible. Otherwise, your financial statements are misleading!
Discuss Computer Controls With Your Chief Accountant (or Controller if you have one)
Computer hardware and software controls are extremely important, but most managers don’t have the time or expertise to get into this area of internal controls. Obviously, you should use passwords and firewalls, and managers know about the possibility of hackers breaking into their computers, as well as the damage that viruses can cause. Every business has to adopt internal controls over e-mail, downloading attachments, updating software, and so on. There is one good piece of news. Small business accounting software packages today generally have strong security features — but you can’t be too careful.
Talk With Other Small Business Managers About Internal Controls
Many businesses, especially smaller companies, adopt the policy that some amount of fraud and theft simply has to be absorbed as a cost of doing business, and that it’s not worth the time and cost of enforcing internal controls.
This sort of attitude reflects the fact that business, by its very nature, is a risky venture. Despite taking precautions, you can’t protect against every risk a business faces. On the other hand, a business invites trouble and becomes an attractive target if it doesn’t have basic internal controls.
It’s very difficult to estimate how many instances of fraud are prevented by the internal controls used by a business, and the damage that would have been done by the frauds. Where do managers look for information about fraud, then? Well, for one thing, they read articles in newspapers about frauds. Also, managers trade information with business associates. Business trade associations provide information about frauds in the industry. At regional and national meetings, managers swap stories about fraud.
Learn From Fraud Cases That Come To Your Attention
We read about cases of fraud all the time. One thing never ceases to amaze us. You wouldn’t think the perpetrators of some frauds could have gotten away with the fraud so long, or have stolen such a large amount without being noticed. We remember newspaper stories years ago reporting that a long-time, trusted bookkeeper had stolen virtually half the assets of a small bank in the Midwest. As we recall, this scenario happened to more than one bank as a matter of fact. The bookkeeper realized that many of the bank’s savings accounts by older depositors were inactive, and the bookkeeper also knew the bank officers never took a close look at these accounts.
So, the bookkeeper withdrew money from these savings accounts, but sent monthly statements to the depositors that reported their original balances. Because the bookkeeper prepared the depositor statements, it was easy to falsify the balances. The simple internal control of separating the duty of preparing depositor statements from the duty of recording deposits and withdrawals in the accounts would have prevented the fraud (unless the two employees collude). Of course, the bank’s officers should have been held accountable for not keeping a close eye of inactive savings accounts. They should have recognized that the inactive accounts are at higher risk for embezzlement than active accounts.
Most fraud schemes aren’t foolproof. Even carefully crafted embezzlement schemes can’t anticipate every eventuality. Many fraud schemes collapse from their own weight as the fraud gets bigger and bigger over time.
Make Yourself The Centerpiece Internal Control
The starting and ending point in effective internal controls is you — the owner/manager of the small business. It begins and ends with you. We don’t mean that you have to do every internal control procedure every day. Rather, we mean the attitude and seriousness that you exhibit about internal controls — especially to your employees, your vendors, your customers, and to everyone else with which you have business relationships.
In the accounting articles and books on big business internal controls, one point is mentioned over and over — the tone at the top. Tone at the top means that the business’s top-level managers take internal controls seriously and put into practice what they preach.
Don’t pay lip service to internal controls. Your employees quickly figure out whether or not you take internal controls seriously.
Keep In Mind The Costs And Limits Of Internal Controls
Internal controls aren’t free. Internal controls take time and money to design, install, and use. It’s difficult to measure or estimate the costs of an internal control, or of a related group of related internal controls in one area of the business, such as purchasing, cash collections, payroll, or customer credit.
Well, if you buy fidelity insurance on certain employees, you know the cost of the premiums, of course. The employee(s) covered by a fidelity insurance policy are said to be bonded. A fidelity insurance policy reimburses a business (up to the limits of the policy) for a loss due to embezzlement or other type of fraud against the business by an employee. One reason for buying fidelity insurance is that the insurance company (called the underwriter) does a thorough background check on the employee(s) being insured.
Furthermore, some internal controls can have serious side effects. Customers may resent certain internal controls, such as checking backpacks before entering a store, and take their business elsewhere. Employees may deeply resent entry and exit searches, which may contribute to low morale. Internal accounting controls are not 100-percent foolproof. A disturbing amount of fraud still slips through these preventive measures.
How are these frauds found out? Fraud study by KPMG reports that common ways for uncovering frauds include the following:
- Internal controls
- Internal audits
- Notification by an employee
- Anonymous tip
- Notification by customer
- Notification by regulatory or law enforcement agency
- Notification by vendor
- External audit
Small businesses don’t have internal auditors. But the other ways of finding out about fraud apply to small, as well as big, businesses. Sometimes the guilty party simply makes a dumb mistake. Our favorite story along this line is the case of the office manager who set up a bogus office-supplies store and then sent bills to the business for non-existent purchases of office supplies. He kept the purchases to fairly small amounts, so as not to attract the attention of anyone. The office manager approved these bills and forwarded them to the accountant who prepared the paperwork that was sent to the manager for payment approval. This strategy worked like a charm for several years.
The office manager had the checks sent to his home address, which would have worked because no one in the business thought to check the address of the office-supplies vendor in the yellow pages. But then the office manager made a stupid mistake. He sold his house to a fellow employee and forgot to change the address of his bogus office-supplies vendor. The next check came to his old home address. Fortunately, the new homeowner thought it was suspicious and notified the manager of the business. Who knows how long this ruse might have gone on if the office manager had not sold his house to a fellow employee?
One test of a good internal control is that it will quickly detect a fraud if it fails to prevent it. Of course, finding out about fraud after it has already occurred is like closing the barn door after the horse has escaped. Still, it’s very important to discover what fraud has happened and record the loss. As a matter of fact, the purpose of internal controls is to make concealment of fraud as difficult as possible. The logic is to send a clear message to potential fraudsters: You may be able to steal, but you will be found out in quick order. In some cases, internal controls are established by a small business, but they’re not carried out contentiously, or internal control procedures are done in a perfunctory manner. In theory, managers should not tolerate such a lackadaisical attitude toward internal controls by employees. A manager may intervene and override an internal control, which may set a very poor example for employees. In fact, overriding an established internal control may be evidence of fraud by the manager.