Internal Controls

Editor's Notes

• #2: SMILEIntroduce Myself – Bio Highlights
• #4: Check references and do background checks before hiring employees who will have access to sensitive data.
• #5: • Risk of an Unsuitable Hire Outweighs Screening CostsThe (FDIC) guidance points out that although there are costs associated with an effective screening process, hiring someone without such screening can carry significantly heavier financial consequences. Depending on the extent of the background check, the cost per employee could run from $25 for a basic search to $150 and up for a complete set of searches. Comparatively, the cost to replace an unsuitable hire averages more than $7,000, and a settlement stemming from a negligent hiring lawsuit averages more than $1.6 million.
• #6: How Useful?Employment screening will:Insure the safety of all your employees and customers Increase company productivity Reduce turnover and training costs Protect you and your company from liability in a lawsuit Reduce Costs By Conducting Background ChecksIt costs $7,000 to replace a salaried employee, $10,000 to replace a mid-level employee, and $40,000 to replace a senior executive. - Recruiting Times The average organization loses more than $9 per day, per employee, and 6% of its annual revenue to fraud and abuse. - Association of Certified Fraud Examiners The American Management Association reported losses to U.S. Business due to:Employee pilferage over $10 billion. Commercial bribery over $10 billion. Embezzlement over $4 billion Vandalism over $2.5 billion Burglary over $2.5 billion Insurance/Workers Compensation fraud over $2 billion. Arson over $1.3 billion. Computer Fraud over $1 billion.
• #8: Due Diligence Background Investigation Report – 02052009.Drug TestCredit ReportMVR
• #9: This is fraud that attacks the payroll system of a business. It includes schemes against salaries and wages payment systems and expense reimbursement systems. Payroll frauds can be categorized into three general areas;1. ghost employee frauds2. false wage claim frauds3. false expense reimbursement frauds The first two frauds attack the actual wage payment system, the third type attacks the expense reimbursement system
• #10: Any employee can commit payroll fraud, but how they would do so will depend upon the role they have within the business.To commit a ghost employee fraud, the employee will need to be able to add the ghost employee to the payroll register and collect payments to it. GHOST EMPLOYEE FRAUDSWhat is a ghost employee?A ghost employee is someone recorded on the payroll system, but that does not work for the business. The ghost can be a real person that (knowingly or not) is placed into the system, or a fictitious person invented by the fraudster.The aim of the fraud is to have a wage paid to the ghost and collected by the fraudster. The system does not require an accomplice but, depending on the method of payment (cash, check or direct deposit of wages), an accomplice may make the fraud easier to conduct, as it will eliminate the need to convert the payment from the ghost to the fraudster.
• #11: How is this fraud done?There are four basic steps to a ghost employee fraud.1. Add the ghost to the payroll system; - this may be as simple as using the “add Employee” function in the payroll system. In this way ghosts can be added without the normal authorization paperwork.2. Generate false time sheet or wage information to create a payment to the ghost;3. Issue a wage payment to the ghost;4. Collect the payment and if necessary converted it into a useable form. Adding ghost employees to the register may be as simple as using the 'Add Employee' function in the payroll system, where these employees may be added without the normal authorization paperwork.Ghost employees may be paid by salary - not requiring any time sheets or other wage information - or by wage where this information will have to be created as required. It is easier to make the ghost a salaried employee or similar so that constant maintenance of the fraud is not required. Once the ghost has been added to the system, the wage payment should be automatically generated.The payment needs to be collected in a way that does not raise suspicion. If the payment cannot be collected, the fraud cannot work. Cash payments may be difficult to collect but are also difficult to trace after the fact. Cheques may be mailed to the fraudster, but they leave a paper trail that may be followed. A lot of businesses pay employees by direct deposit into bank accounts. While this is the easiest way for the fraudster to get the money, it leaves the most direct paper trail.
• #12: How do you prevent this fraud?Six controls may reduce the likelihood of ghost employee frauds. They will not guarantee the frauds will not be committed but will reduce the opportunity for them to start and increase the chance of detection.1. Do not make cash payments to employees as these are easily taken and leave no trail to the fraudster once the scheme is detected.2. Have non-payroll supervisors approve payroll payments to their direct employees on a random basis. This should highlight names on the payroll register that nobody recognizes.3. Add and remove employees only with approval and verification by a number of people, or at least someone outside the payroll department. Ideally this person will be the manager under which that the employee will or did work.4. Organize performance reviews to occur personally with all employees on the payroll register, not organized for particular sites. Ghost employees do not work on a site and therefore will be missed by this review process. Not all businesses require performance reviews but similar checks should be implemented.5. Rotate responsibility for payroll functions.6. Have management check the payroll listing from time to time looking for suspicious names and addresses, and randomly meet employees on the payroll register.
• #13: False wage claim frauds are generally committed by employees working on an hourly or a piecemeal basis. It is difficult for salaried workers to make such claims as their pay is not dependent upon any one variable factor. What is false wage claim fraud?False wage claim fraud is falsely adding extra hours or other relevant factors to wage information to increase remuneration. Some employees are paid on an hourly rate, or have to clock in and out from work. They are remunerated for the standard hours worked and any overtime that they undertake. Casual employees are only paid for hours worked. These employees may add extra hours to their time sheet to get extra pay.Some employees are paid on another piecemeal basis (e.g. number of parts produced). They may have the opportunity to falsely record extra work performed. The fraud is the same as false hours fraud, but just use another type of standard to calculate remuneration.
• #14: How does the fraud work?The fraud is done simply by altering time sheets, the time recording system directly, or any other factor that determines the level of remuneration. The initial factor to consider is how the hours of other factors are recorded.Some employers use time clocks that record the start and finish times. Some do not record the normal working week, but only record overtime. Hours are recorded by the employee themselves on the honor system, and some by supervisors who may or may not be present when the work is done. Some overtime must be requested by management, some can be done on the authority of the employee themselves. It is important to determine the method of recording the hours to know how the system can be manipulated.This fraud can be transposed to other systems of remuneration. Employees that are remunerated by sales commissions may have the opportunity to falsify sale records to increase commissions. In effect, any employee that is remunerated against a standard may be able to manipulate that standard to increase their remuneration.
• #15: How do you prevent this fraud?Salaried employees generally do not have the opportunity to commit this fraud. It may be possible to move some non-salaried employees to salaries to reduce that opportunity.The fraud has two variances, that may be used together. The first is to add overtime hours to the time sheet when those hours are not worked. Stricter control over overtime will make this scheme harder to perpetrate. Requiring all overtime to be authorized beforehand and having the employee clocked off by management immediately thereafter will lessen the opportunity, but will add a layer of cost to the business. The method of recording the hours must be controlled in a manner appropriate to the business.The second variance is to record the normal hours, but not work them. This can be done by having someone else clock an employee out at the usual time, when the employee is not there. The method of recording the hours actually worked has to be controlled in a manner appropriate to the business.The same approach may be taken with recording any other standard used to pay employees.
• #16: FALSE EXPENSE REIMBURSEMENT FRAUDSFalse expense frauds can be committed by any employee entitled to make claims for reimbursement of expenses or by people processing these claims. What is false expense reimbursement fraud?False expense reimbursement fraud is the making of improper claims for the reimbursement of business expenses. There are four major types this fraud.Mischaracterized expenses,(b) Inflated expenses,(c) False expenses, and(d) Multiple claims.
• #17: How does this fraud work?The different variances of the fraud work as follows:1. Mischaracterized expenses are non-business expenses that the employee claims as a business expense. They could be dinners with friends that are claimed as client dinners, holidays that have been claimed as business trips, etc.2. Inflated expenses are legitimate business expenses that have been inflated in size. The increase is the profit kept by the employee. This can be done as easily as having the person issuing the receipt make it out to an inflated amount, or the fraudster may falsify the receipt themselves.3. False expenses are purely fictitious expenses made up by the employee to obtain a reimbursement when there has been no expenditure, business related or not. Receipts can be generated or stolen by the employee.4. Multiple claims are making the same business expense claim more than once, through different people or against a client's account and again against the business. They double the payment for the one expense.
• #18: Who commits these frauds?Any employee that has the right to claim for reimbursement of business expenses may commit these frauds. Also the people that process these claims have the opportunity to process false or inflated claims under the names of other (innocent) employees.
• #19: LESSONS TO BE LEARNED1. Not all frauds involve employees directly stealing money or assets. Payroll frauds occur when employees have the business pay them amounts to which they are not entitled, and have the payment recorded as a legitimate expense.2. Not all frauds occur once and in large amounts. Payroll frauds are generally continuous and for small amounts. The business will generally not miss smaller amounts of money as quickly as larger amounts, but will eventually add up to a significant amount.3. Employees charged with protecting the payroll system are best placed to defraud the system and hide the evidence.
• #20: “Organizations with fraud hotlines cut their fraud losses by approximately 50% per scheme. Internal audits, external audits, and background checks also significantly reduce fraud losses.”Association of Certified Fraud ExaminersGlobal Compliance:* Sarbanes-Oxley requires public companies to have a confidential and anonymous employee reporting mechanism* Employee hotlines support ethics and compliance concerns ranging from harassment reporting to company fraud reporting* Employee hotlines are the #1 channel for fraud detection – accounting for over 30% of all tips* Organizations with hotlines decrease their median loss by over 60%
• #21: You'd be surprised how often I receive a signed contract from a new client, only to find that the contract is completely unenforceable. Why? It's usually due to one of these reasons:* The official name of the company does not exist in the corporate records of the state or region in which the contract needs to be enforceable.* The signatory is signing on behalf of a legitimate company, but is not listed as a principal of that company.
• #22: Client Validation / Authentication ProcessVerify the client holds a valid business license by searching Department of State or Secretary of State business directory.Conduct a basic cyber investigation to verify client information found online.Verify business contact information and location with information found in the telephone directory.Conduct site inspection of client location via Google EarthThird Party InspectionCI utilizes On-site Verification service from Global Compliance™ which enables time efficient, cost-effective, on-site physical evaluations and inspections ensuring compliance with data protection legislation. In line with the Fair Credit Reporting Act (FCRA), On-site verification enables verification of the legitimacy and business purpose of prospective clients desiring access to consumer data.When a company "checks out clean", don't think that your investment in their history check is wasted -- you've simply bought some security for yourself and eliminated a risk factor from your business.
• #23: A good goal is to make sure that the client is who they say they are, confirm that the signatory is authorized to sign on behalf of the company, and verify that the company is legal and doing real business. Consider things such as:* Have there been any bankruptcies? When? * Is it currently in litigation with other clients or partners? Have other vendors had legal proceedings with this company? * Has the company been late on its state or federal tax filings? This is found on the Secretary of State site in some cases. * Is the business's corporate status ok? A corporate status of 'forfeit' or 'deferred' might be major a warning sign. * Are any of the principals involved in other litigation? Perform a name check on all the principals to see if they are litigant or otherwise problematic business people. * Are there any sales/size estimations or reporting? DnB sometimes provides this information, but be sure to note if the data is reported or was simply estimated by Dunn and Bradstreet. * Does the company's self-description correspond to the records you're finding? * Has the company been involved in successor corporations, complex stock dealings, or other activities not consistent with their size or business type? * Are there any liens, judgments, lawsuits, or injunctions about the company? If so, look for the Website of the court that holds the information about that event -- they might have publicly available records, too.