by Gregory S. Dowell
August 24, 2017
We often have noted the results of the fraud studies that have been performed by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”), which is co-sponsored by the Academy of Certified Fraud Examiners (“ACFE”). Those studies consistently have pointed out a few interesting results:
- Small business is more susceptible to loss from fraud.
- The perpetrator is almost always a trusted employee.
- The average dollar-amount loss from fraud is significant, and can be detrimental to the life of an entity.
Despite these consistent results, we have noted as CPAs and advisors that many businesses still feel like they are bullet-proof from fraud. Even though fraud studies show us conclusively that fraud tends to be committed by the employee who is viewed as beyond suspicion, the most trustworthy, and the most committed to the organization, time and time again we have business owners tell us that their trustworthy, committed employee would never do such a thing. We remind those business owners that exactly the same thing was said about those poor employers who were defrauded by their loyal employee.
What far too many business owners (I’m using the term “business owners” broadly, as this applies to charities and governments as well) fail to realize is that putting in good internal controls, and then spending some time checking on adherence to those controls, is fundamental to running a business in a sound and responsible manner. No employee, who is motivated by good intentions and the employer’s best interests, will have a serious objection to being submitted to internal controls. In fact, an employee who vehemently objects is a sign that something may be amiss. Good controls and processes, when put into place, become part of a business’ culture. Those controls raise every employee and stakeholder’s respect for doing things properly and in a transparent manner. Those good controls will pay for themselves many times over in the life of the business, by preventing fraud, by presenting opportunity (think of how pleased a banker with money to lend would be to understand that a business takes control seriously), and by resulting in a higher valuation. Yes, potential buyers will be impressed by the processes in place, will place more reliability on the financial statements, and will ultimately place a higher value on a business that has good controls.
While the fraud studies by COSO are the most widely-publicized, multiple studies done by a number of organizations report these same results. In a recent article by Rachel Layne for MoneyWatch titled “Your company’s biggest thief might be the most loyal-seeming employee”, she cites a study by the insurance firm Hiscox, and the results from the previous COSO studies are again confirmed. As noted by Ms. Layne, the study reports that most thefts extend over long periods of time – think in terms of years – and may include smaller amounts of thievery over and over and over again. The study shows that 29% of employee thefts took place over more than 5 years (37% for those in the financial services industry). Vendor losses are the largest – think of an employee who sets up a fraudulent vendor in the employer’s system, and then systematically pays them over months and years. This study found that the average theft stretching over 5 years or more was $2.2 million. In declining order, the largest frauds occurred in financial services, government, manufacturing, real estate, labor unions, and “other services”. All of these fraud studies consistently show that the thief was most commonly the most trusted person in the organization, the person who never takes vacation (which is important if you need to cover your tracks every day), an employee involved in the accounting department, and have a median age of 48 (older employees tend to be around longer and have advanced in the company to a position that gives them knowledge and the access to commit fraud). The study also notes that, again, small businesses are the most at-risk.
So what should be done? The answer is relatively simple: Engage your CPA firm to conduct an internal control study and make recommendations for change, as well as for ongoing monitoring. That monitoring should include internal monitoring by other employees, but should also include periodic monitoring by the CPA firm. Even if the benefits and positive financial impact noted above is completely ignored and one only thinks about the immediate costs of control, there is obviously an upfront and ongoing cost to putting in these controls, but the cost from not having these controls can be staggering. The sad thing is that these losses are preventable, but not if business owners, governmental leaders, and boards of directors fail to take action.