Business Fraud and Embezzlements

Recent headlines from the Eastern District of Missouri, U. S. Attorney’s Office:

DeSoto Woman Sentenced for Embezzling $1.6 Million from Grandview School District
October 13, 2017

Kinloch Official Sentenced for Stealing Money from the Kinloch Fire Protection District
October 25, 2017

Former Chief Financial Officer Sentenced for Stealing $2.8 million from Company
November 6, 2017

The 2016 American Association of Certified Fraud Examiners (ACFE) Report to the Nations found that the median loss to businesses due to fraud was $150,000.00.

Most of these frauds could have been prevented with proper internal controls and due diligence on the part of the businesses. Looking at the court cases of the above three crimes cited, all involved individuals who were trusted by the organization and were given carte blanche to handle the organization finances with little or no oversight.

As a business owner, prevention of fraud, waste, and abuse can be achieved with proper internal controls and appropriate oversight. The loss from fraud and embezzlement is not only monetary. To quote a business owner from one of the above cited cases:  we “thought we had a significant problem until we spent the next three months of our lives going through everything, including looking at the front and back of 44,000 checks…”

What can business owners do to protect themselves? Having strong internal controls are mandatory.  Businesses can also watch for behavioral red flags for fraud and embezzlement as noted from the 2016 ACFE Report to the Nations:

  • Living Beyond Means (45.8%)
  • Financial Difficulties (30%)
  • Unusually Close Association with Vendor/Customer (20.1%)
  • Wheeler –  Dealer Attitude (15.3%)
  • Control Issues, Unwillingness to Share Duties (15.3%)
  • Divorce / Family Problems (13.4%)
  • Irritability, Suspiciousness or Defensiveness (12.4%)
  • Addiction Problems (10%)

Businesses can be defrauded on many fronts: Internally by employees, managers, officers, or owners of the company, or externally by customers, vendors, and other parties.

Simpson Security and Investigative Advisory Group, LLC has trained fraud investigators, forensic accountants, and Certified Public Accountants (CPA’s) on staff to assist businesses in fraud prevention, fraud awareness, and fraud detection

Is Your Business Secure?

We recently completed two projects: one involved the investigation of a theft and potential data breach at a major firm, and in the other we were asked to conduct an in-depth security review for a major corporation that recently had an intruder breach their premises.  What we found is all too common in many businesses today.   Business security is not a priority until after an incident occurs.

You can’t open the newspaper or listen to the news without reading or hearing about a data breach, embezzlement, financial fraud, or workplace violence incident.   There are many reasons why basic security processes and procedures are not put in place.  The reasons range from cost concerns to naiveté. The truth is, once an incident occurs, the monetary and non-tangible (business good-will) cost to a business can be devastating.

There are recognized industry standards for security for both small and large businesses.  Implementing those standards can help protect the business from a security breach, legal liability, and financial loss.

Financial Safeguards

In the 2014 Association of Certified Fraud Examiners Report to the Nations on Occupational Fraud and Abuse, it was reported that the median cost of a single fraud incident to small businesses was $154,000.00.  Five simple steps businesses can, and should, take to help mitigate financial fraud are:

  1. Conduct background checks on all employees.
  2. Implement a written code of ethics.
  3. Divide bookkeeping and check signing authority.
  4. Deliver bank statements – unopened – to top management.
  5. Implement a fraud reporting mechanism or hotline (over 40% of all small business fraud is discovered through tips).

Physical Security

American National Standards Institute (ANSI) and ASIS International are recognized as the standard bearers of physical security. Both organizations conduct extensive research on physical security and publish standards that are recognized the world over. Each business should conduct a security risk assessment along with a cost benefit analysis. The size of your business will dictate how in-depth that assessment should be.   Areas to consider in assessing the physical security of your business include:

  1. Security policies and procedures
  2. Security lighting
  3. Barrier systems
  4. Intrusion detection systems
  5. Physical entry and access control
  6. Video systems / Video surveillance
  7. Alarms
  8. Personnel

Workplace Violence

The Occupational Safety and Health Administration (OSHA) estimates that about 2 million U.S. workers are victims of workplace violence each year and about 10 percent of workplace fatalities are homicides. The monetary costs of workplace violence have been estimated by the National Institute for Occupational Safety and Health to exceed $120 billion per year, and the human costs are immeasurable.

Workplace violence incidents can come from a customer, an employee, domestic disputes that spill over into the workplace, and criminal acts.

Employers should take some basic steps to address workplace violence by adopting policies and procedures that demonstrate to their employees the importance of a safe workplace.  Those steps should include:

    1. A written zero-tolerance policy for incidents of violence or threatening behavior in the workplace.
    2. Substantial disciplinary action, up to and including termination, for harassing or threatening behavior.
    3. An easy system for employees to report suspicious or threatening circumstances.
    4. A documented and detailed action plan outlining how the business will respond to those reports.
    5. A system for documenting those reports and the action taken by the business to address the report.
    6. A written and detailed emergency action plan in the event of a violent incident.

Cyber Security

    The 2014 Data Breach Investigations Report, compiled by over fifty organizations from around the world reported over 63,000 cyber security incidents and over 1,300 confirmed data security breaches across twenty-seven countries in 2013. Most of the breaches fit some basic patterns:
  1. Web App attacks (35%)
  2. Cyber Espionage (22%)
  3. Point of Sale intrusions (14%)
  4. Credit Card Skimmers (9%)
  5. Insider Misuse (8%)
  6. Crimeware (other malware incidents) (4%)
  7. Miscellaneous errors (2%)

While all industry segments were touched by cyber-attacks, the primary businesses affected by these breaches were retailers and the service industry. Some steps businesses can take to deter data breaches include:

  1. Restrict remote access
  2. Enforce password policies
  3. Do not browse social media, public websites, or personal e-mails on POS systems.
  4. Know your data and who has access to it.
  5. Review user accounts.
  6. Encrypt devices (laptops, hard drives, thumb drives – anything with data that could get lost or stolen).
  7. Move highly sensitive or valuable assets to a secure location.
  8. Properly dispose of information assets, and verify that they have been sanitized prior to disposal.
  9. Use two-factor authentication.
  10. Have a plan in place should a cyber-attack or data breach occur.

Summary

All businesses should be conducting security risk assessments. A security risk assessment will highlight areas that are vulnerable and help gauge the likelihood or impact. These should be done on a regular basis. A good risk assessment program will combine inside expertise and oversight with outside experience and insight. Using a third party to work with the company on a risk assessment will bring in a high level of security expertise not normally found in-house, as well as an unbiased and pragmatic view of policies and procedures in place. Once the risk assessment is conducted, the business should be prepared to make changes and to monitor the results.

The time to conduct a security risk assessment is now, not after an incident occurs.

Dennis Simpson

www.SimpsonAdvisoryGroup.com

Dennis.Simpson@SimpsonAdvisoryGroup.com

Simpson Security and Investigative Advisory Group, LLC