Fraud Prevention: Focus on What's in Your Control
Fraud is a buzzword no one particularly enjoys talking about. The word itself carries a negative connotation for all the obvious reasons and many organizations completely avoid the subject. However, anyone who undergoes an annual audit knows that auditors are required to inquire about any real or suspected fraud within an organization and any steps that the organization has taken to detect and prevent fraud. Auditors ask these questions not to annoy you and make you uncomfortable, but rather to ensure that your organization is taking the necessary steps to protect itself and its employees. A study performed by the Association of Certified Fraud Examiners (ACFE) in 2014, and reported in their Report to the Nations on Occupations Fraud and Abuse, found the following:
- A typical organization loses 5 percent of revenues each year to fraud.
- The median loss caused by the frauds was $145,000 with 22 percent of the cases involving losses of at least $1 million.
- The amount of time from when the fraud commenced until it was detected was 18 months.
- Asset misappropriations were the most common frauds, occurring in 85 percent of the cases, causing a median loss of $130,000.
As you can see from the findings above, ignoring the fraud talk can have serious implications for your organization. Furthermore, these statistics beg the question, “Why would someone do this to our company?” The answer lies in what is known as the fraud triangle.
From The University of Indiana. http://www.usi.edu/internalaudit/what-is-fraud
Those who commit fraud all have three things in common; the pressure, the opportunity, and they can rationalize their wrongdoing. Of the three areas of the triangle, only opportunity can be controlled by the organization.
Pressure can be real or perceived, but regardless of its source, stems from an internal belief that cannot be controlled by an outside entity. Common pressures can include family medical bills, credit card bills, mortgages, etc.
Opportunity is a product of the internal control structure in place at an organization. If the organization has strong preventative controls in place, then the opportunity to commit fraud is greatly reduced; however, if the organization has instituted little to no controls then the opportunity to commit fraud is prevalent.
Lastly, rationalization is the fraudster’s belief that what they are doing is okay. Rationalization, like pressure, is derived internally and cannot be controlled by outside sources. It is often driven by the individual’s belief that they are being treated unfairly or that what they are doing will not affect the organization. For example, an employee who steals from their employer might rationalize their behavior by saying, “I’ve given this organization 20 years of my life and barely make more than the day I started. I am vastly underpaid, and they don’t appreciate me.” Or, “This company makes so much money, they’ll never miss what I’m taking, and besides, I need it more than they do.”
Focus on what you can control.
To effectively manage someone’s opportunity to commit fraud, it is vital to implement a system of preventative controls. Unlike detective and corrective controls, preventative controls seek to eliminate the problem before it starts by taking a proactive approach instead of reacting to an existing problem.
Preventative controls are established through segregation of duties. Segregation of duties is the idea that one person should not be able to complete all critical functions of a transaction from start to finish. For example, the same individual should not be responsible for collecting money, entering the transaction, making the deposit, and reconciling the bank account. For some organizations, the logistics of segregating responsibility can be daunting due to the limited number of employees, yet, even if the organization only has two employees, separation of duties can exist. The following lists were created by the AICPA to demonstrate how responsibilities can and should be shared amongst an organization with two employees and those that have three or more.
As seen in the lists above, even with only two employees, an organization would be able to adopt a system of controls to separate responsibilities so no one employee has custody of assets, authorization to approve transactions related to those assets, and the ability to record those transactions. This would prevent any one employee from taking a transaction from start to finish. This separation of duties can be effectively managed in CommunitySuite using permissions and groups.
Every CommunitySuite site comes loaded with four default groups. These groups include Admin, Accounting, Staff, and Audit. Each of these groups has their own unique permissions built in that allow pre-set access to a foundation’s site. These permissions range from full access to the system, Admin, to read-only access, and Audit. An organization should start with these default groups and edit their permissions based on their needs and number of employees.
Rather than starting a group from scratch, CommunitySuite allows you to create your own permission group and copy the permission settings of another group. The creation of a new group is recommended rather than adjusting one of the four default permissions, so you always have a template to start from. These permissions pertain to each area in CommunitySuite and include the option to allow tailored access, including: no access, read-only access, full access, and custom access through advanced settings.
After an organization has created groups and assigned the applicable restrictions, users can be assigned to the groups. A user’s rights in the site will be determined by the group they are assigned to. Each user should only be in one group, as CommunitySuite will default to giving the user the rights of the least restrictive group that they are in. Below is an example of how responsibilities can be split in the Voucher area of CommunitySuite. This is just one of the many areas where permissions can be customized.
No one likes to talk about the potential of fraud within their organization. However, ignoring the topic can result in substantial loss to a company. While no company can prevent all fraud, an organization can implement a set of preventative controls that includes a proper segregation of duties amongst its employees. CommunitySuite can aid in this process through the ability to assign employees to defined user groups with customized permissions. If you are ready to take advantage of the full functionality of permissions in CommunitySuite, please contact our amazing support team or your client success manager.