Chapter 6
Safeguarding Against Fraud
In This Chapter
Being realistic — why fraud can happen to you
Protecting the flow of cash in and out
Taking preventive action
Detecting when something is rotten in the state of Denmark
Guarding against online fraud
I often wait until I’ve completed writing a chapter before writing the intro. (I do this partly because intros are difficult at the best of times, and partly because I prefer to write the intro after I’m sure what the rest of the chapter holds in store.)
So, I’m writing this intro having just finished writing the chapter and boy, I’m feeling pretty down in the dumps. Days on end discussing fiddling books and diddling timesheets, chiselling the boss and fleecing the owner, taking someone for a ride and doing the dirty. Hours chatting to business owners about bitter lessons learned, and long evenings trawling the Web for stories about fraud and where the loopholes lie.
Despite my heavy heart, I realise this chapter is necessary. The moment a business hires an employee who has access to cash or company assets, this business takes a risk. To balance this risk, you need good systems and excellent controls. I prefer to be realistic and put systems in place that safeguard against fraud, rather than to trust in the universe and then have the rug pulled out from under my feet.
Even if you don’t have any employees, or you’re reading this chapter in the capacity of a bookkeeper, rather than a business owner, then safeguarding against fraud is still relevant. If you’re a bookkeeper, you’re also responsible for making sure good systems are in place. And, regardless of what role you play in a business, safeguarding against online fraud from outsiders is always a vital part of a bookkeeping role.
Getting Wise to What Goes On
Is your mental image of a typical fraudster that of a male white-collar worker, new to the job, shy and a bit of a loner? If so, then maybe you’ve been watching too much television. According to the Association of Certified Fraud Examiners (ACFE), 64 per cent of frauds are committed by long-term employees with five or more years of service. Not only that, but the trend is moving away from the lone male, with an increasing percentage of middle-aged women under the spotlight.
Pulling the wool off your own eyes
One of the things I do in my consultancy business is to teach business owners how to understand their financial statements. Part of this process involves looking at profit margins, and fairly often these profit margins don’t come out as high as the owner expects. When we discuss the many possible reasons why, one of the reasons I feel obliged to mention is employee fraud.
More often than not, business owners are horrified by the idea that employees could be stealing from them, expressing an admirable loyalty. ‘I trust my staff’, ‘My employees are like family’, ‘So-and-so has been working for us for 20 years’ are just some of the typical sentiments expressed.
A family affair
A myth that many small business owners believe is that money can’t be going astray because the employees are family members.
Sadly, just because an employee is related to the owner of the business doesn’t guarantee that they behave honestly. In fact, I think that sometimes an employee is more tempted to steal if they are family, not only because they know that they’re unlikely to get caught, but also because they reckon that if they do, their own family are unlikely to report them to the police.
In recent years, I’ve encountered two different cases of family members committing fraud. One client wanted to figure out why total sales in the accounting software didn’t match total sales in their accommodation booking software, and another client wanted to know why the payroll account wasn’t balancing. In both instances my investigation uncovered the uncomfortable truth that it was the adult children who had their hands in the till, resulting in a particularly bitter pill for their parents to swallow.
I used to trust these kinds of judgements, but in recent years I’ve worked on enough fraud cases to know that you can never be too sure. The most improbable people can be caught with their fingers in the till, and sadly, fellow family members are some of the most likely culprits.
Don’t delude yourself. No business is immune from employee theft. Employee fraud is not only more common than most people realise, but is often committed by employees who’ve been with the business for years, and who are well liked and respected by all. I’m not suggesting you carry a mantle of suspicion around you, but I am suggesting that you put good procedures in place to guard yourself against fraud.
Figuring out how the deed is done
At the risk of creating a how-to guide for sticky-fingered employees, here are five main ways to commit a fraudulent deed:
Diddling timesheets: The easiest way of all to take someone for a ride. Adding an hour here or there is so easy to do and, if caught, an employee is more likely to get a warning than the chop. Industries with shift work, irregular working hours or overtime are the most vulnerable.
Embezzling funds: There are as many way to embezzle funds as there are to leave your lover. Popular moves include transferring funds into personal bank accounts, inventing ‘ghost’ employees who don’t exist, and falsifying supplier invoices for payment and paying invoices twice, with the second payment going to a personal bank account. The most likely candidate for embezzlement is a bookkeeper who has access to bank accounts (always a bad idea).
Getting kickbacks: Politicians and property developers spring instantly to mind, but actually, most kickbacks happen on a much smaller scale. Maybe an employee gets 200 bucks every time they arrange for a mate to get a contract, or they get a percentage kickback for arranging for another company to be a preferred supplier.
Skimming off the cream: Another relatively easy way to fleece a business, especially for bookkeepers who are also responsible for doing the banking. The bookkeeper counts up the money and seems to do all the right things, but somewhere between the office and the bank, a wad of cash goes missing.
Stealing company assets: Businesses that carry any kind of stock are vulnerable to asset theft. Obviously, the more mainstream your stock, the more vulnerable you are, so if you buy and sell BMX bikes you need to be way more vigilant than someone who sells prosthetic implants.
Another kind of fraud worth mentioning is résumé fraud, where an employee applies for a job and lies about their experience and qualifications. Obviously, no money goes missing directly with résumé fraud, but your potential losses can still be substantial, both in terms of your reputation and legal liability.
Controlling Money In, Money Out
All businesses need to set procedures in place that safeguard the flow of money into and out of the business (these procedures form part of what accountants describe as internal controls). In general, the bigger a business, the more stringent controls need to be. However, all the controls I talk about in the next few pages are relevant to any business that has employees.
Choosing signatories for bank accounts
When you open a new bank account, one of the first things the bank wants to know is who is going to be authorised to sign cheques or approve online payments.
If you’re the owner of a small business, I recommend you remain the only signatory and password holder on the account. Only when your business becomes too big for you to be able to sign every cheque or authorise every online payment should you decide to delegate this authority.
If you do decide to get another signatory on your business bank account, one good safeguard is to specify that two signatures are required on every cheque. Alternatively, you can create a second business account with a low daily transaction limit and authorise a second signatory on this account. In addition, consider organising your accounts so that your business account runs relatively lean and excess funds sit in a savings account, and set up this savings account so that only you can access it. (For more tips on safe online banking, skip to ‘Safeguarding from the inside out’ later in this chapter.)
I also suggest you ask the bank to supply all cheques as crossed cheques. A crossed cheque has two parallel lines with the words ‘not negotiable’ printed across the middle. This means that the cheque can only be paid into a bank account and cannot be cashed over the counter.
Receiving payments
Receiving money is obviously one of the key areas where you need to apply good controls and procedures in any business. I can’t say exactly what these procedures are, because so much depends on the nature and size of the business in question, but I can give some pointers:
If customers ever pay accounts using cash, then make sure the person responsible for receiving and receipting cash payments isn’t the bookkeeper. (I talk more about the separation of duties later in this chapter, in the section ‘Separating powers between bookkeepers and the cash’.)
Issue numbered receipts for all cash payments on the spot, either with a receipt from the till, a printed receipt from your accounting software or a handwritten receipt using a carbon copy receipt book.
Balance customer payments on a daily basis: If you’re using a cash register, balance at the close of each day using some kind of daysheet; if you record customer payments in your accounting system, print a deposit slip and balance this deposit against daily EFTPOS and cash totals.
In retail environments, consider installing a letterbox safe, where employees can ‘post’ cash takings into the safe at the end of each day without needing to know the combination code for accessing the safe.
If you’re using accounting software, set user restrictions so that only a senior manager can delete invoices or payments (receipting a cash payment, then deleting both the payment transaction and the original invoice is a common scam). Alternatively, if your software doesn’t allow you to set user restrictions individually in this way, switch on audit tracking so you can at least monitor if an employee deletes an invoice or a payment. (See ‘Checking audit trails’ later in this chapter for more about audit trails.)
If a customer supplies credit card details over the phone, ensure that a procedure is in place to destroy these credit card details as soon as their payment has been processed.
Reconcile the bank regularly, following up any discrepancies straight away.
Making payments
Unless you’re the business owner and the bookkeeper all in one, never let the bookkeeper sign cheques or make payments. A bookkeeper can prepare bills for signing or electronic payment, but the business owner or manager needs to sight the payment details, view the original supplier bill or employee timesheet, and authorise the payment.
Even with this safeguard in place, you still need to set up some checks and balances to make sure that no-one can do the dirty on you. The most vulnerable area in accounts is usually accounts payable. Common fraud includes double-paying suppliers, and then getting a kickback from the supplier who has been double-paid, or a bookkeeper entering their own bank account details under a particular supplier’s name.
You can guard against fraudulent double-payment of bills by putting in policies that stipulate that the person who approves bills must sight an original bill, and initial the bill as approved. Similarly, the person who authorises payment needs to view this same invoice and check that it has been approved.
If you pay bills online, make sure that all suppliers submit account details using a signed form or by printing these details on their invoice. Then ensure that only company directors or the business owner can set up new supplier account details in the accounting software or Internet banking software. (For more about secure online payments, see ‘Protecting Against Online Fraud’ later in this chapter.)
Payroll is another area that is prone to manipulation. Put procedures in place so that whoever signs cheques or approves electronic payments also views the original employee timesheets. If this person isn’t the business owner, then you need two people to sign or approve each payment.
Last, when signing cheques, make sure there’s no space in front of words or figures that would allow someone to alter amounts (for example, changing an amount from $350 to become $3,350). This warning is particularly important if an employee has written the cheque and all you’re doing is signing it.
Managing cash in a retail setting
If you’re a retailer, you have a few extra considerations when keeping tabs on cash in and cash out. Here are a few tips to help out:
Balance every day: Always balance the cash registers at the end of each day, comparing totals for till rolls to the total of cash in the register and EFTPOS payments. Figure 6-1 shows an example daysheet for a small retailer. I used Excel to create this daysheet, but most Point-of-Sale systems provide their own end-of-day balancing process.
Figure 6-1: Always balance cash registers at the end of each day.
Draw up a clear policy for refunds: Quite how this policy works depends on the business. Possibly implement a numbered refund system with a form that employees complete detailing what happened and how, or make it that only managers can approve refunds.
Have a fixed float: Set a fixed amount for the daily till floats and stick to it. If the float amount is always changing then balancing the till is much trickier, and employees are more likely to make mistakes.
Impersonate big brother: At the risk of sounding rather Orwellian, you could consider security cameras at the register.
Issue receipts with every sale: Put up a sign saying to customers ‘Please ask for a receipt’ and make clear to employees that a receipt must be provided for all sales. This policy not only reduces the likelihood of employees not ringing up sales and pocketing the cash, but also prevents shoplifters trying to get refunds for items they never purchased in the first place (assuming you have a policy stating that a receipt is required for any refunds).
Keep an eye on overrings: A legitimate example of an overring is when an employee accidentally enters $50 rather than $5 for an item, and then rings up an adjustment of a $45 credit. A more sinister example of the same thing is an employee making a sale for $50, giving the customer a receipt, then ringing up a $45 overring and pocketing the cash. You can minimise the likelihood of this kind of fraud by requiring employees to report in writing for each overring or by barcoding all items so employees don’t key in amounts, rather they simply scan the items.
Use individual logons: If possible, get employees to sign into the cash register using a logon and password, and make this employee responsible for balancing the register at the end of their shift.
Dealing with petty cash
I deal with petty cash procedures in more detail in Chapter 8, but remember that ready cash lying around in a tin is as tempting to some employees as honey is to bees. And, if an employee takes ten bucks from the cash tin and gets away with it, they may be tempted to continue on this slippery slope and, over time, move on to more drastic action.
The answer is always to keep petty cash under lock and key, even if you only have a float of $100 or so. Ensure you have strict petty cash procedures, and that the petty cash tin is balanced every time it’s topped up with cash.
Putting Systems into Place
I was listening to a show on the radio about parenting teenagers recently, and the speaker was talking about how important it is for teenagers not only to be aware of what’s expected of them, but also that you’re on the case. In other words, if your teenager breaks all the rules, you care enough that you’re likely to find out. He said his philosophy wasn’t about not trusting your kids, rather it was about creating an environment where trust is easy to come by.
In a way, setting up business systems is similar. I’m not suggesting that a business owner doesn’t trust their employees. After all, without trust a workplace is going to be a pretty miserable place. However, I am suggesting you put systems in place so that you can be confident that trust in employees won’t be misplaced, and that employees have a working environment with procedures that are fair and guarantee security for everyone.
Separating powers between bookkeepers and the cash
I realise this is a beefy chapter, with a whole swag of tips about preventing fraud. As a business owner, if you only do one thing to protect your business, it should be this: Don’t let your bookkeeper handle money or assets.
When I talk about handling money or assets, I include the following:
Working on a cash register and taking cash
Receiving payments from customers on accounts
Balancing cash registers at the end of the day
Having access to assets, such as business inventory
Being able to authorise transactions above an agreed amount
The reason for these controls is simple: If an employee has access to cash, assets or bill authorisation, then they have the potential to take cash, steal assets or authorise illegitimate bills. If this employee is also the bookkeeper, they have the perfect opportunity to cover their tracks.
As a bookkeeper, you may well be asked by an employer to handle cash and do the books. I reckon this request puts you in a tricky position. Sure, you may be completely clear in your own mind that you would never do the wrong thing by your employer, but by accepting this role, you do compromise your professional standards. If you leave this bookkeeping role in the future and the employer hires another bookkeeper who isn’t as scrupulous as you, then you’ve set an unfortunate precedent.
I can’t be too cut-and-dried about recommending what you should do in this situation. After all, your employer may be quite perturbed if you declare that you don’t want to bank daily cash takings because the potential is there for you to succumb to temptation. However, it probably serves you well to point out the reason why auditors and accountants recommend that bookkeepers never handle cash, and why you recommend the employer follows suit.
Authorising bill payments
Any business with more than a handful of employees needs to put clear authorisation procedures in place for supplier bills. Usually this means that a couple of different employees are responsible for authorising bills: The warehouse manager may authorise bills for stock, matching these bills against delivery dockets; the office manager may authorise the office stationery account; the sales manager may authorise advertising expenditure. The main principle here is that the person responsible for incurring the expense is the same person who authorises the payment of the bill.
The perfect crime
Last year, I was reminded again of how important it is to separate the role of bookkeeper from any cash handling duties. A client of mine had a business where the receptionist was responsible for receiving payments on account and issuing receipts. However, the bookkeeper was then responsible for daily banking and reconciling the bank account.
A couple of months after this bookkeeper resigned (after many years in the job), the new bookkeeper asked me for help locating an invoice in the accounting system, as a customer had requested a duplicate copy. ‘How odd’, we thought. We could find no invoice for that customer, even though there were no missing invoice numbers in the system.
We dug deeper, and slowly (using audit trails and archived reports), we uncovered what must have been going on for years. Once every month or so, the old bookkeeper would simply pocket some of the cash on the way to the bank (the standard invoice amount at this office was $660, which was the amount she usually pocketed). The bookkeeper then located both the receipt that the receptionist had recorded, along with the original invoice, and deleted both transactions. Finally, she reset the invoice numbers so that they wouldn’t be out of sequence.
My client never got any of his money back, even though he instigated court proceedings. However, he now makes sure that the receptionist receives the cash but issues numbered receipts only (and doesn’t have access to the accounting system), the bookkeeper records the payments but doesn’t handle any cash, and the manager does the daily banking, balancing totals against the receipt book.
With this process in mind, bills often pass through three sets of hands before being paid and finalised:
1. The person who incurred the expense gets the bill, ensures that the correct price has been charged and the goods or services were definitely received, and approves the bill.
2. The bookkeeper prepares the bill for payment, either writing a cheque, or entering the payment into accounting or Internet banking software, ready for electronic authorisation.
3. A company director or senior manager views the bill, checks that it has been approved, and authorises the payment, either by signing a cheque or by entering a password to process electronic payments. (This step may also involve a second cheque signatory or password holder.)
This authorisation process works well for most kind of bills, but remember to set up systems for other kinds of payments, for instance payroll and the reimbursement of employee expenses. In particular, I suggest you be vigilant for overstated claims, duplicated claims or claims where an employee has already paid for an expense using a company credit card, but then submits an additional expense claim form with the receipt attached.
Keeping an eye on stock
I notice that while many bookkeepers are alert to the possibility of cash going missing in action, few bookkeepers have the same attitude when it comes to protecting stock on hand. If a business carries stock on hand, particularly stock that can be easily sold for cash, then you need additional systems to safeguard this asset.
1. Separate ordering roles from accepting deliveries.
The idea is that whoever orders inventory doesn’t accept delivery of inventory. So if an employee in a liquor store orders a special case of single malt whisky with a view to sneaking it home, the person accepting the delivery receives the case, and books it into stock.
2. Make sure every bill has a delivery docket as its playmate.
If a bill doesn’t have a matching delivery docket or stock receipt, then it can’t get approved for payment.
3. The employee who orders inventory is responsible for approving bills.
This way, the employee is responsible for checking that the supplier delivered what was ordered, and charged the agreed price.
4. Protect stock from walking out the door.
Control physical access to the warehouse by employees and suppliers. Only give keys to full-time employees, restrict access to the warehouse, and don’t hesitate to change locks and passwords when an employee resigns. Install alarm systems that trigger a phone call to management if alarms are disarmed after hours.
5. Identify categories of inventory that may be more vulnerable to theft than others.
For example, if you’re a whitegoods retailer you probably need to be a whole lot more vigilant about protecting iPods and expensive cameras, than you need to be about protecting kettles or commercial fridges.
6. Do stocktakes regularly and report back to staff.
Unless you’re living in some form of Utopia, every stocktake has discrepancies. I like to report discrepancies back to warehouse staff and involve staff in tracking down possible reasons why (often the cause is human error, rather than theft).
Setting ground rules in the workplace
One of the best ways to prevent fraud in the workplace is to put a code of conduct in place which stipulates that fraudulent activity on any level isn’t acceptable. In this statement, include a clear outline of what steps an employee can take if they suspect another employee of fraud and provide a guarantee that any employee who reports fraud will remain anonymous. Explain that fraud takes many forms, and includes examples such as overstating hours on timesheets and overclaiming on expenses.
In addition, carefully screen all new employees before they start employment, in particular checking previous employer references and double-checking qualifications listed on an employee’s résumé.
Clocking on, clocking off
Earlier in this chapter I explain how diddling timesheets (adding extra hours that weren’t actually worked) is one of the most common types of employee fraud. Any business with shift work, irregular hours or overtime is particularly vulnerable to this kind of fraud.
The best way to safeguard against timesheet fraud depends on the business, but here are a few possible methods:
In your code of conduct (refer to ‘Setting ground rules in the workplace’ earlier in this chapter), specifically state that timesheet fraud of any kind will be taken seriously and result in disciplinary action.
Compare timesheets of staff members who are supposedly doing shifts together.
Implement bundy clock or time clock systems, where employees have to swipe cards when they arrive or leave.
Put in a process so that any overtime has to be approved by management first.
Standardise working hours, so that employees start and finish at specific times.
Tell management staff that they are expected to double-check timesheet start and finish times, and take immediate action if an employee pushes the envelope.
From time to time, scan payroll reports with a view of seeing if a particular employee consistently claims more overtime than others.
Protecting Against Online Fraud
Most banks don’t provide the public with figures regarding how much money is lost each year to online fraud, but rest assured, the amount is substantial. Although many banks reimburse customers who fall victim to fraud, some others don’t, and almost all banks take several days, if not weeks, before the money comes back into your account.
One of the scariest types of online fraud is keystroke logging, where a hacker records the letters or numbers that you type when you’re logging onto your Internet banking account. You can reduce the risk of keystroke logging fraud by investing in good anti-virus software and firewalls, but the banks provide no guarantee that this protection is sufficient.
Choosing online services
You may already be aware that most banks offer personal Internet banking services and business Internet banking services. The differences between the two depend on the bank, but business Internet banking usually includes features such as being able to import payment batches from your accounting software, have higher daily payment limits and provide different levels of access for different employees.
When you’re considering what kind of online services to choose, do spend time evaluating the security features. Most banks now offer business customers something called two-factor security, which involves the requirement that customers provide two kinds of identification, rather than the single password normally required by Internet banking.
You get a few different kinds of two-factor security. Some banks have on-screen keyboards to prevent keystroke logging, and many Australian and New Zealand banks now offer security tokens (a personalised electronic device that displays a different code every 15 minutes). Another innovation is an SMS payment feature, where the bank sends a text message to the customer’s mobile phone after every transaction. Money doesn’t get transferred until the customer responds to the text message.
Protecting your passwords
Sometimes life feels so scattered that I can scarcely remember my own name, let alone my children’s names, whether or not I’ve fed the dog, or where I stored the spare house keys. So when my bank issues me with a 15-digit registration number, a phone banking password, a separate Internet banking password and my special security question, I feel myself fading fast.
Never mind, I haven’t yet succumbed to writing down my passwords and sticking them on the fridge. I’m even cocky enough to come up with a bit of unsolicited advice:
Don’t choose a password that anyone else could guess (for example, your date of birth, telephone number, your name, your pet’s name or one of your children’s names).
Have one password for banking activities and another password for non-banking activities (such as FaceBook, Twitter, viewing telephone accounts, subscribing to online forum boards or whatever).
Make sure your banking password has at least eight characters and uses a combo of uppercase letters, lowercase letters and numbers, such as ‘efxK28LP6’.
Change banking passwords regularly. If you find you forget passwords every time you change them, try using the first initial of the month as one of the characters in your password. (For example, in January your password may be AiusJ298, but in February you change this to become AisuF298.)
Don’t give out your Internet banking password to anyone. If you receive a call or an email asking for personal information or a card number, you can be pretty sure you’re on the receiving end of a scam — no bank ever asks customers to disclose PIN numbers or password information.
Never write your password down even if disguised.
Always log on to Internet banking by entering the website address of the bank (for example, www.anz.com) into the address bar. Never follow a link from an email to visit your bank’s web page.
Don’t use a public computer for Internet banking (you can’t guarantee the integrity of firewalls and anti-virus protection on a computer that’s not your own).
Safeguarding from the inside out
Of course, not all online fraud is committed by hackers from the outside. Often, online fraud is committed by employees of the business.
The most common way an employee perpetrates online fraud is by substituting a supplier’s banking details with their own. Although banks ask for an account name, all the bank actually looks at when making a transfer is the account number and branch. In other words, a bookkeeper may prepare a payment ready for the owner to authorise, and at first glance this payment looks as if it’s going to a known supplier, but the banking details have actually been changed.
In a busy office, the owner or person authorising payments doesn’t have time to check the bank details of every payment. However, what you can do is check that electronic account details payments are spot checked regularly, and also implement password restrictions so that only the owner, or nominated directors, can authorise new suppliers. (Also, make sure procedures are in place so that the directors get supplier account info directly from the supplier or from their bills, and that the bookkeeper isn’t the one responsible for gathering this info.)
Detecting Fraud
Up until now in this chapter, I concentrate exclusively on preventing fraud. However, what if you have a sixth sense that all is not well, and you want to check a set of accounts to see if something is astray? Or what if you’re the bookkeeper, and the owner asks you to investigate why profit margins are falling?
Just like Miss Marple, you need the nose of a beagle, a razor sharp intuition and a few detective tools.
Monitoring margins with a beady eye
One of the most sure-fire ways of detecting fraud is if your gross profit margin shows up on your final Profit & Loss report as lower than you expected.
A few years ago, I was called asked to assist a private detective in the investigation of employee fraud. The client had first become suspicious when he noticed that his gross profit margin had dropped from 74 per cent to 72 per cent for several months in a row. His profit margin had been stable for many years at 74 per cent, and nothing had changed with his pricing policies. He also had an uncomfortable feeling about his internal accountant. The investigation took some time, but in the end we identified a total of 15 payments (each one for $5,020) which had been made electronically into the accountant’s personal bank account (every fortnight or so, he would temporarily edit a supplier’s bank account details to change them to his own account, then forge a duplicate bill from this supplier and get payment approved). His method was smart, as the business purchased computers from this supplier several times a week, and the price of a standard unit was always $5,020.
You can also extend this principle of monitoring gross margins not just for the business as a whole, but for individual items within a business. Another client of mine had a retail store, and we spotted a case of employee fraud when several items appeared with a negative gross profit. The employee had been making sales to friends at substantial discounts of up to 75 per cent (and presumably getting a kickback later on).
Staying alert to suspicious behaviour
According to the Association of Certified Fraud Examiners (ACFE), an increasing amount of employee fraud is committed by employees with a gambling addiction. Gambling addictions are hard to spot, but worth keeping an eye out for (long lunches at the clubs, arriving late and exhausted for work, never having any ready cash, poor performance and distracted at work, and so on).
As part of staying alert to suspicious behaviour, keep your eye out for employees who are always keen to work late or rarely take holidays. (If an employee never takes more than a couple of day’s leave at one time, fraud is often detected only after an employee resigns and someone else takes on their position.)
Other times, owners may have suspicions that an employee may be skimming cash or stealing stock, but be too fearful to implement systems because of employee backlash. For example, one client of mine had a retail health food store where the employees were trusted to do their own shopping, ring their sales up on the register and pay. My client was pretty sure that sometimes not everything got rung up on the till, but was too apprehensive of employee backlash to implement a system that required employees to get another employee to ring up their purchases.
Checking audit trails
This is a book about bookkeeping, not about auditing, so I don’t have enough space to cover everything you need to know about checking audit trails (and besides, this stuff hardly makes for cheery bedtime reading). However, I can give you a few hot tips for checking your own audit trail reports from time to time.
By the way, audit reports aren’t much use to anyone unless you can identify who made what entry. That’s why individual user IDs and passwords are so important when using accounting software. Give every employee their own logon and password and make it clear that passwords are confidential and must not be shared.
With this kind of system in place, here are some things to look out for in your audit reports:
Changing of transactions: If a transaction has been changed, look to see who changed it and whether this change seems reasonable.
Deletion of transactions: Again, if a transaction is deleted, check out who deleted it and why. In particular, investigate the deletion of any customer receipts or invoices.
Differences between session dates and transaction dates: If an employee only works on the accounting system raising invoices or recording stock transactions, then you expect the session date (that’s the day they record a transaction) to be the same or close to the transaction date (that’s the day the transaction occurred). Large disparities between session dates and transaction dates often indicate either genuine mistakes or a cooking of the books.
Missing invoice/receipt numbers: Almost all accounting systems automatically increase invoice and receipt numbers incrementally with each new invoice or receipt. If a number is missing in the sequence, it usually means that an invoice or a receipt has been deleted.
Switching preferences on and off: Depending on the accounting software, preferences control vital decisions such as whether transactions can be edited or audit trail tracking switched off. I’ve seen cases where an employee finds out the master password, then switches audit trail tracking off and deletes an invoice and its payment, then switches audit trail tracking back on. By identifying that this employee was changing preferences on a regular basis, my client was able to monitor her actions and identify what was going on.
Some accounting software packages don’t provide audit trail reports unless you switch on audit tracking in the first place. So don’t wait until you have suspicious circumstances on your hands, but go check right now, and make sure that you have audit tracking activated.
Employing external auditors
Most small businesses never get their accounts audited, and only consider doing so if they suspect an employee or a partner of fraud. An external audit is an unnecessary expense, and money is usually much better spent making sure that good systems are in place. However, if you work for a not-for-profit organisation that requires a high level of accountability to its members or to taxpayers, then an external auditor is often a legal requirement. Private investors also sometimes require external audits.
My experience of working with external auditors has been very positive. Most auditors are good at their jobs, and I’ve found the recommendations they make for improving accountability and internal systems to be really useful. However, don’t fall into the trap of thinking that just because your books have been audited, you have nothing to worry about. Auditors aren’t psychic. If you don’t have adequate internal controls in place (for example, you don’t balance the till each day, or the secretary who issues customer receipts also does the daily banking), then fraud may go undetected by even the most experienced of auditors.