Fraud in a privately owned business is not only distressing for the owner, but also for employees. One example we have seen involved a business where a relatively junior staff member had stolen significant sums by processing duplicate invoices and ghost salary payments, and paying them into their own bank account.
“When uncovered, the staff member was prosecuted and found guilty of fraud and it was confirmed that they had acted alone. However, other staff felt responsible for not having noticed irregularities earlier, and when the issues first came to light everyone was under suspicion which, as you can imagine, led to a difficult working environment,” says Tracy Hickman, Corporate Advisory Director at Staples Rodway Chartered Accountants.
In some other cases, employees have been imprisoned for their offending. The legacy of fraud can be widespread and long lasting, so putting safeguards in place can help to avoid the financial loss and other implications for the business.
High profile organisations, such as Mighty River Power, SkyCity and Westpac demonstrate that even large, publicly listed companies are not immune to employee fraud issues. For example, last year SkyCity was involved in an employee fraud dispute involving more than $2.5 million of misappropriated funds.
“While implementing internal controls can be more straightforward in larger organisations, where there are sufficient staff to allow separation of duties, the challenge is more pronounced for smaller organisations, where one person may be responsible for all accounting related activities such as bookkeeping, banking, collecting debtors, making payments and processing payroll,” says Tracy Hickman.
“Establishing approval processes, and involving other departments in some of the key risk activities, can help.”
So how do you reduce the risk of fraud in your business? Below are some practical suggestions to help.
Banking: While most cash receipts are now electronic, you may still receive the occasional cheque, so organise for banking to be done by the owner or an employee other than the accountant or bookkeeper.
Incoming mail: Arrange for someone to open the mail each day for the whole organisation, so that hard copy bank statements, invoices and statements are not received directly by the person responsible for processing these documents.
As well as providing a control, if a manager or director is checking the mail it can provide a good overview of what’s happening in the business, which can be useful as it grows. However, the growing number of documents received electronically can reduce the effectiveness of this control.
Payroll: Consider outsourcing payroll or establishing an approval process where any changes to employee’s bank accounts and new employees must be approved by a staff member other than the payroll administrator. Some online banking systems show a changed bank account number in bold type, so they should stand out.
Payments to ‘ghost’ employees are more easily hidden in larger payrolls, or in those where there is a significant churn in staff, such as in the hospitality industry or construction industry.
Payments: It’s not uncommon in smaller businesses for there to be only one signatory on a bank account. If signatories are added, in addition to the owner or director, consider requiring dual signatures, at least on amounts over a certain threshold.
Also put in place delegated authorities for approving purchases, where any expenditure over a certain amount must be approved by a director or owner of the business. The same suggestions apply here as for payroll for bank account changes for suppliers requiring authorisation.
When approving electronic payments, insist on seeing the original invoice with bank account details to compare to the payment list.
“We recently saw an instance of fraud where the ‘original’ invoice had been amended so that the bank details for payment were changed, and that was picked up because there were no other supporting documents for the change,” says Tracy Hickman.
Cyber security: In a smaller business it can be easy to become lax in cyber security, with software logon passwords, online banking passwords and bank security devices being shared (or worse, passwords written on post-it notes and stuck to the monitor).
In these cases, it can be difficult to prove the perpetrator of a fraudulent act because it’s hard to identify who actually processed a transaction.
Policies: Having clear policies in place can help uncover fraudulent activities. For example, a policy requiring all employees to take two weeks’ annual leave per year ensures that someone else within an organisation will assume responsibility for that employee’s tasks which can highlight irregularities.
It’s also important to have clear whistleblowing policies in place. This will provide an avenue for employees to report any suspicious behaviour within the organisation without fear of retribution or risk to their job security.
Investigating suspicious activity: It’s important to understand the interplay between investigations into employee activity and criminal investigations. The person accused of fraudulent activities has rights, and the right to silence can cut across employment investigations. If these situations arise, it is important to tread carefully and seek legal advice.
Many of these suggestions are common sense, but they can act as a first line of defence against fraudulent activity. Consider also talking to your professional advisors for more recommendations on internal controls specific to your business.
Read more of our related insights.View all insights