Business owners are bombarded with information about cyber threats – Phishing, Ransom attacks, Malware, etc. But sometimes, the threat comes from within. We all want to believe the best about our employees and in most cases, we’d be right. But, unfortunately, not everyone is honest or can resist temptation. Small businesses are more at risk, and lose more every year to internal theft because it is hard to segregate responsibility. That raises the bar for management to control & inspect.
I’ve worked with many, many small businesses who have called me because “something just doesn’t seem right”. The owner, or manager will spend time telling me about their frustration with their accounting system being so hard, and how they can’t seem to make sense of the information they’re getting, or their inability to get anything at all. Sometimes they don’t understand why they don’t have any money in the bank, even though they know they’ve got to be making money.
The story is the same every time, and before the owner has spent even 15 minutes telling me his specific story, I can tell you where the problem lay. Nine out of ten times, there has been some fraud or theft by the “trusted bookkeeper”.
I’ll tell the owner where we need to look, and he’ll be shocked. He’ll tell me it can’t be. He’ll say she is a deacon in her church and godmother to his child. Unfortunately, I’m right more often than I want to be.
Don’t get in this situation. Don’t make it easy to be tempted. A small amount of prevention, and due diligence each month, will save a world of loss and suffering later.
Often traditional methods of control aren’t feasible for a very small business. With only a few employees, it is hard to separate responsibilities. This means you have to be vigilant about what you can do. The key points are CONTROL AND INSPECTION.
IDs and Passwords: Most of you are going to glance at this section and move right on to the next one. I get it, but don’t do it. Number one in fraud prevention is access control. Small things will have big payoffs in this area.
Every user needs to have their own ID and password. NO SHARING! Change the sysadmin password frequently, and don’t share it.
Set QuickBooks preferences to force logout after a short time of inactivity.
Set your Windows preferences to return to the Windows log in screen after 5 minutes of inactivity and set an office policy to lock computers when walking away. I have one client that plays “tricks” on their employees. If someone walks away from their desk and leaves their computer unlocked, the person who catches it sends out a (semi) embarrassing email to the office from the offender’s email. An all office invite to a party at your house can be eye-opening. It’s silly, and effective.
Use Security profiles: All Intuit products have extensive security options. However, I find many clients just open all functions up to all employees. Don’t do it! Getting the settings right for a job function can be difficult, but again, worth it. Set up a profile, and then test it. Log in with that profile and test to see if you can access things you shouldn’t.
Reconcile:
Reconcile all Bank Accounts and Credit Card accounts If you aren’t in a position to reconcile, that’s fine. But grab the bank statement, and the credit card statements and LOOK AT THEM. You would be amazed at the number of frauds that could be identified by review of statements, physical check copies, and charges. A few small transactions to an unknown vendor. An unexpected check to an employee. A transaction amount at odds with normal business. All these are usually, very apparent to the business owner or manager if they take the time to look at the details from the bank – not in QuickBooks – but from the bank.
Review Vendor statements. If a Vendor shows a past-due, but your records show payment, you’ve got a possible leak (a payment marked as going to a Vendor was instead disbursed somewhere else). Also, you may see that you’ve got payments or bills from Vendors that the Vendors don’t show they’ve issued. Again, another way for your money to disappear. Fake Vendors is another possibility. You should be able to account for all Vendors.
Send out Customer Statements. If you show Customers with past due balances and they contact you with proof of payment, you may have miscoded the payment to another customer, or you may have your Customer payments disappearing to somewhere else. Look at Customer accounts for credits or returns. This can zero a customer balance, and when payment comes through, it can just disappear.
Review Balance Sheet Accounts. Everyone looks at their Income Statement. Many do not review their Balance Sheet. It can be quite easy to bury transactions in a busy Balance Sheet. It is easy to bury “fake” transactions in a Balance Sheet account if no one is reviewing them.
Internal theft is rampant, and painful. It hurts not only the bottom line, but the soul of your business. It almost always starts small, because it is easy. Don’t make it easy.