Eliminating the Possibility for Fraud: A Business Fraud Checklist

​Unfortunately, there is no way to eliminate the potential for business fraud entirely. However, you can minimize the likelihood that it will occur by strategically removing the most common ways that fraud occurs. 

A magnifying glass over the word Fraud

As a business owner you need to understand that no company is immune from the possibility for fraud. Every day businesses become victims of theft, resulting in not only lost cash but also sensitive information and business data. Realizing this is paramount. Fraud does happen and it can happen to you.

​Implementing internal controls is the foundation of fraud prevention initiatives, but your efforts should not stop there. Today’s heightened cyber threats require a tactical approach to cybersecurity as well. Consider the following cyber fraud statistics about US companies:

• Cybercrime cost businesses $6.9B last year
• 41% of executives do not believe that their security precautions have kept up with the digital transformation
• Only half of businesses have a cyber security plan in place, and of those 32% have not changed that plan since the pandemic shifted their employees into remote/hybrid work
• Only 43% of businesses feel prepared to face a cyberattack
• Weak or compromised passwords account for 71% of cybersecurity breaches
• Over the last two years there has been a 60% increase in cyberattacks

So, what can be done about this vulnerability in the face of heightened cybersecurity concerns? Businesses must take a comprehensive approach to the security of their financial data. Establishing and maintaining internal controls and cybersecurity best practices are going to be your best defense against internal or external fraud.

 Use this comprehensive business fraud checklist to mitigate fraud risk:

• Practice Segregation of Duties

Separate accounting duties among different employees at all levels to keep activities like making cash deposits and preparing financial reports apart. Making it difficult for an individual to cover up their fraudulent activity closes the door on simple opportunistic theft. To reduce the risk of collusion the further accounting duties are distanced the better.

• Establish Access Controls

As the old saying goes “Access controls keep people out to keep value in.” Access controls can be physical (like locks on cash drawers, safes, or badge-only access areas) or virtual (like passwords).

Set permission levels on accounting software and apps and establish unique passwords for all employees. Use a password manager service to generate secure passwords and require that these passwords be changed frequently to minimize the likelihood that a compromised password can be used fraudulently on an ongoing basis. Where possible, utilize multi-factor authentication as well.

Use access logs to see what employees are accessing and when to ensure that it matches with their job duties. Rely on these records to help identify the culprit if fraudulent activity is discovered.

• Require Approvals

Requiring a sign off on things like major expenses or business travel reduces the likelihood that asset misappropriation will occur. Funneling purchases through more senior employees or your most trusted leadership members adds an extra layer of defense. Now, keep in mind, it is possible that someone at the top can be stealing from the company as well, and required approvals will not prevent against that. However, this is a solid defense against the rising trend of employee embezzlement from normal business activities like adding new vendors or increasing payments to existing vendors.

• Audit Assets

Regular asset audits are common at most businesses, whether they are virtual, physical, or both. Taking the time to count inventory on a quarterly or yearly basis is a way to protect business assets. However, audits should not end with these types of predictable examinations. They should also include surprise checks of cash drawers, bank account balances, and other company assets to keep employees honest.

• Use Trial Balances

Trial balances are used to keep an internal record of credits and debits, thereby allowing a company to find errors and omissions in their double-entry accounting system. Whether these are a result of a mistake or fraudulent activity will need to be determined as part of a follow-up investigation after a discrepancy is found. At the very least trial balances can increase the accuracy of financial data, at the most they can help to identify and stop fraud quickly.

• Conduct Reconciliations

Bank and credit reconciliations are a crucial part of cash flow management, which means that companies should already be performing them regularly. But as an added bonus, they can also help uncover fraudulent activity by knowing which deposits, charges, and payments are cleared or in-transit at any given time.

• Standardize Business Templates

Use the same templates across all business teams for estimates, invoices, purchase orders, expense reports, and other business activities to streamline audits. It is much easier to find the kinds of discrepancies that can signal fraud when your accountants are looking at the same kind of documents than it is if they are trying to line up incongruous items.

• Perform Data Backups

Regular data backups provide a safeguard against data loss. If there is a cybersecurity breach and information must be restored, you will want to know that you have current financial data to fall back on. Data backups can also be used to compare against current financial information in the case of fraudulent activity that involves deleting or changing records.

• Utilize Reputable Service Providers

Even companies that have excellent internal controls can be compromised by partnering with vendors or providers with vulnerabilities. This is one reason that some companies prefer to work with more established service providers instead of freelancers for their outsourced business needs.
Companies that have strong internal controls should look for providers with similar policies and protocols in place to maintain their strength in these areas. Companies with weaker internal controls should seek out providers that have more stringent security guidelines to help encourage their efforts in these areas.

• Train Employees to Identify Threats

Employees are not inherently going to know how to protect their employers from fraud. Help employees understand what kinds of threats exist, how to avoid them, and where to report them by providing formal training them in this area.

Some companies not only offer cyber threat training but also run periodic tests to analyze their vulnerabilities. Staging fake threats like fictitious email phishing schemes or phony vendor invoices to see how employees react is a proven way to gauge the effectiveness of their training and sure up security holes before a real threat arises. Reward employees who respond to these correctly and offer additional training to employees that fall for these threats.

• Put Employees Behind a Firewall

Ensure that all the work employees do is happening behind an anti-malware firewall. Your firewall should protect individual devices as well as the entire network from malware to ward off cyberattacks.

As a secondary layer of defense, use anti-virus software to catch anything that makes it through your firewall. Anti-virus software will conduct routine scans automatically to look for malicious software or attempts to breech the firewall. As long as it is regularly updated it will operate using the newest cybersecurity information available to keep up with constantly evolving cyber threats as well.

Working together a VPN and firewall make up two of the “Security Six” safeguards that the IRS lays out as best practices for tax professionals, which demonstrates how important they are to cybersecurity for accountants.

• Adapt to Remote Work

When employees are working remotely, safeguard their work and their devices by having them work over a VPN. A VPN creates an encrypted tunnel for data to move through no matter where a user is located to keep it safe along the way. Once only used for financial institutions, most companies are using some kind of VPN service for anyone that is working on shared networks these days.

If possible, only have employees work on company-provided devices to avoid the additional security risks associated with working on their own phones and computers. Use drive encryption in case a device is lost, stolen, or hacked. Where possible, use a mobile device management platform on company equipment for any employees working offsite so that if a device is lost or stolen it can be locked down to block access.

Lastly, establish company policies to clearly define expectations related to things like accessing, transmitting, and sharing sensitive information and financial data. Do not leave it up to guesswork. What may seem obvious to management may not be well understood by some employees. Clearly differentiate between what is and what is not allowed. For legal reasons, it is typically best to also include verbiage that explains the consequences of not adhering to these policies.

For a real world example from one of our colleagues of how these types of precautions can safeguard your business read: A True Story About Accounting Cybersecurity a One Company’s Narrow Escape

Remember, your business cannot be protected against fraud if you cannot trust the people tasked with managing its finances. If you are looking for a reputable accounting company, please reach out to us. We employ a seasoned team of accounting professionals that uses their extensive experience combined with ethical practices to deliver top-rated accounting services to clients across Oregon, Washington, and Colorado.