According to the Association of Certified Fraud Examiners (ACFE), certain fraud risks are more likely in small businesses than in large organizations. The ACFE classified fraud into three categories:
Misappropriation of Assets – stealing or misuse of an organization’s resources
Corruption – an employee using their influence in business transactions in a way that violates their duties in order to obtain a benefit for themselves
Financial statement – involves the intentional misstatement or omission of material information from financial reports
To reduce the risk of fraud in your organization, the most important step for small business owners is to implement properly designed internal controls.
Consider implementing the following in your business to help prevent and detect fraud.
Internal controls are procedures or processes put in place by a business to:
Ensure financial reporting is accurate and meet all financial reporting requirements
Ensure compliance with operational requirements
There are five factors necessary for establishing effective internal controls.
Segregation of Duties
Policies and Procedures
Oversight and Review
User Access and Rights
SEGREGATION OF DUTIES
Creating separation or segregation of duties entails the assignment of the various components of a process to different employees. Proper segregation of duties should ensure that different people should be responsible for authorizing transactions, recording transactions, maintaining custody of related assets and reconciling account balances. If a single employee is responsible for all these tasks, that person is in a position to commit and conceal fraud.
While larger companies with large numbers of employees can easily segregate duties, small businesses should consider outsourcing one or more of these duties. Accounting firms offer accounting services to small and medium size companies. The Company can outsources some of these functions to an accounting firm and obtain a level of expertise not available from their in-house staff.
POLICIES & PROCEDURES
All businesses should have written policies and procedures—even if you think your business operations are not complicated. Although businesses are different, the following common processes should always be documented:
Sales and Accounts Receivable
Cash and Banking
Purchases and Accounts Payable
Payroll and Human Resources
Financial Statement Closing and Reporting
The policies and procedures for each process should include all the tasks and steps needed to complete a process. Documenting each process provide transparency and consistency and allow for specific duties to be easily assigned to separate individuals. Detailed policies and procedures also facilitate the training of new or temporary employees.
While it might seem obvious, maintaining adequate supporting documentation is essential to developing effective internal control. All transactions must be documented in sufficient detail to allow management to support the existence of the transaction. Standardized documentation enable faster and more efficient review of accounting documents by management and is an important aspect of fraud detection.
Thorough, standardized documentation also allows for discrepancies and errors to be more easily identified. Not having standard documentation for all internal accounting procedures puts you at risk of errors and that fraudulent activity will go unnoticed or overlooked.
OVERSIGHT & REVIEW
The best way to reduce the risk of fraud is management oversight and review; in other words, showing your employees that you are checking up on them and reviewing documentation. In most fraud cases, the employee was allowed to perform their duties without oversight or review which enable them to perpetuate the fraud over an extended period of time.
Management must be committed to implementing and following their own internal controls. The tone is set at the top. They should review financial reports periodically and on a random basis which includes identifying significant variances and the reason for the variances.
USER ACCESS & RIGHTS
Another important consideration for preventing potential fraud and maintaining security within a business is the prevention of any unauthorized access to the key databases, systems, and programs used for accounting operations.
Employees should be given limited access to information systems with only rights to perform function necessary to their work assignments. Often employees are given more access to information systems than they actually need to carry out their duties. Most software allow the Company to setup individual users with specific access to or deny access to specific areas of the system.
On a periodic basis, all users’ rights should be reviewed to ensure there is a legitimate business purpose to support them having this access.
Since every business is different, small business owners are likely to apply a variety of different strategies to put procedures in place that works best for their unique needs. The guidelines presented above are standard components that should be applied to ensure a strong foundation of internal controls and security no matter the size of the company.