Business fraud has been around for a long time. At its core there’s very little new about business fraud. Only the devices and the methods for doing it are different today from those in the past. This post takes an unflinching look at business fraud and offers suggestions on how to prevent fraud—or at least how to minimize its effects.
Most people are honest most of the time. Businesses have to deal with the exceptions to this general rule. A business cannot afford to assume that all the people with whom it deals are honest all of the time. Fraud against business is a fact of life. One function of business managers is to prevent fraud against their business. It goes without saying that managers should not commit fraud on the behalf of the business. [But some do, of course]. A business is vulnerable to many kinds of fraud from many directions—customers who shoplift, employees who steal money and other assets from the business, vendors who overcharge, managers who accept kickbacks and bribes, and so on. The threat of fraud is present for all businesses, large and small. No one tells a business in advance that they intend to engage in fraud against the business, of course. Compounding the problem is the fact that many people who commit fraud are pretty good at concealing it.
Business Fraud and Its Two Basic Types
In this post, the term fraud is used in its broadest and most comprehensive sense; the word covers the waterfront. It includes all types of cheating, stealing, and dishonest behavior by anyone inside the business and by anyone outside with whom the business deals. The fraud may be illegal; or even if it isn’t illegal, it is immoral, unethical, or unacceptable. Examples of fraud range from petty theft and pilferage to diverting millions of dollars into the pockets of high-level executives. Fraud includes shoplifting by customers, kickbacks by vendors to a company’s purchasing managers, embezzlement by trusted employees, inflated expense reports submitted by salespeople, deliberate overcharging of customers, and so on. A comprehensive list of business fraud examples would fill an encyclopedia.
Speaking as a business manager, there are two types of business fraud:
- Type 1: The kind you don’t want to happen because it damages the business and may raise questions about your competence in not having prevented the fraud.
- Type 2: The kind you do want to happen, or the kind you do nothing to stop even though you have to hold your nose while the fraud goes on.
In other words, there is fraud against the business and fraud by the business. Type 1 fraud can be classified by who does it. It includes all kinds of schemes and scams by vendors, by employees, by customers, and even by a business’s own managers. Unfortunately, a business is vulnerable to all kinds of fraud attacks from virtually everyone it deals with. And, we regret to say, the business may engage in fraudulent practices, too.
Fraud Perpetrated by Businesses
Accounting and business finance articles recently dealing with business fraud focus almost exclusively on Type 1 and either sidestep or downplay Type 2. However, you can’t do justice to the topic without mentioning that some businesses engage in Type 2 fraudulent practices. Most experienced business managers would agree with us on this point, in private if not on the record.
Most frauds perpetrated by businesses are illegal under various state and federal statutes. Also, restitution for damages suffered from the fraud can be sought under the tort law system. No one advocates this type of fraud, of course. Very few people make the argument that this type of fraud is a necessary evil, which, viewed in a larger frame of reference, has to be tolerated in order to achieve the overall benefits from our economic system. In other words, the “for the greater good” argument doesn’t carry water when it comes to fraud by business.
In any case, the evidence is clear that many businesses deliberately and knowingly engage in fraudulent practices and that their managers do not take action to stop it. Indeed, the managers are complicit in the fraud. They initiate a fraud; or for fraud going on in the business, they look the other way. The managers may not like fraud and not approve of it, but they live with it. Sometimes a manager is convicted of being part of a fraud conspiracy. However, over their careers, few managers are ever prosecuted for fraud.
You read about Type 2 fraud all too often in the financial and business press. Examples include bribing government and regulatory officials, knowingly violating laws covering product and employee safety, failing to report information that is required to be disclosed, misleading employees regarding changes in their retirement plans, conspiring with competitors to fix prices and divide territories, condoning misleading advertisements, and discriminating among employees on grounds of gender and race.
One “duty” of a manager is to keep quiet and to cover up and prevent publicity regarding fraud by the business. Managers are under pressure to follow the “three monkey” policy: See no evil, hear no evil, speak no evil. And then there is the whole area of accounting fraud and fraudulent financial reporting by a business’s executives and its financial and accounting officers.
Other than what has already been said, Type 2, or “management complicity” fraud, is not discussed further in this post—except to make one final point: Fraud condoned by management makes a business more vulnerable to Type 1 fraud by employees. The literature and official pronouncements on business fraud stress the key point that preventing fraud depends first and foremost on the “tone at the top”. Employees generally are aware of what’s going on in the business. When they see fraudulent practices in the business that are sanctioned by its top-level managers, then some employees might be more inclined to adopt an “entitlement” attitude and commit some fraud on their own. And they may be very good at it.
Businesses handle a lot of money, have a lot of valuable assets, and give managers and other employees a lot of authority. So it’s not surprising that a business is vulnerable to fraud.
The 2003 Fraud Survey by the Big Four CPA [certified public accountant] firm KPMG, for example, includes the following types of fraud against businesses:
- Diversion of sales.
- Duplicate billings.
- False invoices and phantom vendors.
- Inventory theft.
- Kickbacks and conflicts of interest.
- Loan fraud.
- Theft of intellectual property.
The main advice offered in the professional literature on fraud against a business is to put into place and to vigilantly enforce preventive controls. The literature has considerably less advice to offer regarding the course of action managers should take once an instance of fraud is discovered, other than to say that the manager should plug the hole that allowed the fraud to happen.
The KPMG Fraud Survey found that the companies in its survey took the following actions:
- Begin an investigation.
- Immediately dismiss employees who commit fraud.
- Seek legal action.
- Notify a government regulatory agency or law enforcement.
The Twofold Purpose of Internal Accounting Controls
Anti-fraud controls are generally called internal controls or internal accounting controls. The accounting department of a business is delegated the responsibility for most antifraud controls. These controls consist of required forms that must be used and procedures that should be followed in authorizing and executing transactions and operations. The accounting department records the financial activities and transactions of a business, so it is natural that the accounting department is put in charge of designing and enforcing internal controls. The accounting profession has a long history in designing and using internal controls.
Most internal accounting controls have both an antifraud purpose and an accounting-reliability purpose. Keep in mind that the accounting system of a business is the source of information for its financial statements, tax returns, and management reports. The accounting purpose of internal controls is to eliminate [or at least to minimize] errors in capturing, processing, storing, and retrieving the large amount of detailed information needed in operating a business. Many controls are needed to ensure the accuracy, completeness, and timeliness of information held in the accounting system of a business.
Controls have to keep up-to-date with changes in a business’s accounting system and procedures. For example: a whole new set of internal controls had to be developed and installed as businesses converted to computer-based accounting systems. This was a difficult transition for many businesses. Accountants have a large repertoire of internal controls from which to choose. A post about internal controls directs to business managers has been posted. An internal control check list for managers. You can read it [here].
Control Guidelines for Accepting New Customers and Clients
One area where internal controls are needed but are often overlooked by many businesses concerns taking on new customers—especially if the business extends credit to its customers. Of course, most businesses put a high priority on securing new customers. But the wrong kind of customer can cause large losses instead of yielding additional profit.
Some new customers may be out-and-out crooks who never intended to pay for their purchases from the business. Other new customers may have good intentions but may be on thin ice financially and end up not being able to pay their accounts on time, or may not pay them at all. A business should have controls guiding its sales staff for sorting out the wheat from the chaff.
Every business has to adopt its own individual set of rules for new customers. In this connection, it’s very interesting to note that CPA firms are bound under their professional standards to establish policies and procedures for deciding whether to accept or continue a client relationship and whether to perform a specific engagement for that client. The main purpose is to minimize the likelihood of association with a client whose management lacks integrity.
One of the key characteristics that CPA firms list is that the client should have:
appropriately comprehensive and sound internal controls that are consistent with the size and organizational structure of the business [AICPA, “Acceptance and Continuance of Clients and Engagements,” January 2004, Practice Alert, J1-2].
So, if your business contacts a CPA, you should be aware that the CPA firm will be doing a check on how good your internal controls are.
Policies and Problems Concerning Internal Controls
A good deal of business is done on the basis of trust. Internal controls can be viewed as a contradiction to this principle. Yet in a game of poker among friends cutting the deck before dealing the cards is not viewed as a lack of trust. Most people see the need for internal controls by a business or by card players—at least up to a point.
Many businesses, especially smaller ones, adopt the policy that some amount of fraud simply has to be absorbed as a cost of doing business and that it’s not worth the time and cost of instituting and enforcing an elaborate set of internal controls. This mind-set reflects the fact that business by its very nature is a risky venture. Despite taking precautions, you can’t protect your business against every possible risk. This is true but it is also true that a business invites trouble and becomes an attractive target if it doesn’t have basic internal controls. Deciding how many different internal controls to put into effect is a tough call.
Internal controls are not free. Internal controls take time and money to design, install, and use. It’s difficult to measure or to estimate the costs of an internal control or of a related group of related internal controls in one area of the business—such as purchasing, or cash receipts, or payroll, or customer credit. It’s very difficult to estimate the number of instances of fraud prevented by the internal controls used by a business and the damage that would have been done by the frauds. Where do managers look for information about fraud, then? Well, for one thing, they read articles in newspapers about frauds. Also, managers trade information with business associates. Business trade associations provide information about frauds in the industry in formal reports. At regional and national meetings, managers swap stories about fraud. Some cases of fraud are truly astonishing.
You wouldn’t think the perpetrator could have gotten away so long with the fraud or could have stolen such a large amount without being noticed. We remember newspaper stories years ago reporting that a long-time, trusted bookkeeper had stolen virtually half of the assets of a small bank in the Midwest. This happened to more than one bank, as a matter of fact. The bookkeeper realized that many of the savings accounts in the bank were owned by older depositors and were inactive. The bookkeeper also knew that the bank officers never took a close look at these accounts.
So the bookkeeper “withdrew” money from these savings accounts and sent monthly statements to the depositors that reported their original balances. Because the bookkeeper prepared the depositor statements, it was easy to falsify the balances. The simple internal control of separating the duty of preparing depositor statements from the duty of recording deposits and withdrawals in the accounts would have prevented the fraud, unless the two employees colluded. Of course, the bank’s officers should have been held accountable for not keeping a close eye on inactive savings accounts.
Keep in mind that internal accounting controls are not 100% foolproof. A disturbing amount of fraud still slips by these preventive measures. How are these frauds found out?
Well, the 2003 Fraud Survey by KPMG reported that common methods for uncovering frauds included:
- Internal controls
- Internal audits
- Notification by an employee
- Anonymous tip
- Notification by customer
- Notification by regulatory or law enforcement agency
- Notification by vendor
- External audit
One test of a good internal control is that it will detect a fraud if it fails to prevent it. Of course, this is like closing the barn door after the horse has escaped. Still, it’s critical to learn what fraud has happened in order to close the loophole in the system.
An internal control may fail because it is not carried out conscientiously or because it is done in a perfunctory manner. In theory, managers should not tolerate such a lackadaisical attitude toward internal controls by employees. But until something serious happens, managers may let this attitude slide. Sometimes a manager intervenes and overrides an internal control. This sets an extremely bad example and, in fact, might be evidence of fraud by the manager.
Fraud by high-level managers is particularly difficult to prevent and detect. By the very nature of their position, these managers have a great deal of authority and discretion. Their positions of trust and power give them an unparalleled opportunity to commit fraud and the means to conceal it. If you have any doubt about this, look in the financial press over the past few years and read the many articles describing the gross abuses by top executives of many corporations. Evidently their huge salaries and stock options were not enough. One commentator said it’s not just about money, but rather about hubris—meaning that these individuals did not consider themselves bound by normal rules of behavior and they had to demonstrate that they could break the rules. Good old-fashioned greed seems behind most of the corporate scandals, however.
Public Companies and Internal Controls
As you probably remember there was a plethora of high-profile business fraud cases over recent years—Enron, WorldCom, Waste Management, Rite Aid, HealthSouth, and many more. Then came along the mutual fund scandals of 2003. I’ve lost count of the number of high-level executives that have pleaded guilty to extremely serious fraud charges. Many have gone to jail. One result of these many scandals was passage of the Sarbanes-Oxley Act of 2002, which sailed through Congress and was immediately signed by President George Bush. The act had a major impact on the CPA auditing profession, including establishing the Public Company Accounting Oversight Board to oversee the auditing profession.
One section of the Sarbanes-Oxley Act deals with internal controls of public companies. PricewaterhouseCoopers, one of the Big Four CPA firms, ran a full page ad in the Wall Street Journal [March 12, 2003, A20] under the main title “Internal Control Is No Longer Just Internal.” Three paragraphs describe the act’s impact on internal controls:
The Sarbanes-Oxley Act of 2002 includes several important sections related to internal control for public companies—the spirit of which is to improve the completeness, accuracy and transparency of financial reporting and to foster compliance with laws and regulations. Section 404, a key part of Sarbanes-Oxley, requires an annual assertion by management regarding the effectiveness of internal control over financial reporting, as well as an attestation by the company’s auditors on management’s assertions.
Many public companies have long relied on control procedures to guard against fraud, unethical behavior and honest human error. But now management not only will be asked to acknowledge its responsibility for having in place an adequate internal structure, it will need to assess the effectiveness of that structure, publicly report that assessment, and subject that assessment to attestation by the company’s auditors.
The act applies to publicly owned businesses, which include approximately 10,000 corporations whose securities [stocks and bonds] are traded in public markets. These are large businesses, of course. Roughly speaking, a business needs to have a market cap of $25 million or higher to be affected by the regulations under Sarbanes-Oxley. One concern is whether there might be a “trickle down” effect on small businesses. States and other regulatory agencies might use the act as a model to pass similar laws that cover businesses domiciled in their states. It seems more likely, however, that states will be more interested in other features of the act—especially the sections dealing with which services CPAs should be prohibited from providing their audit clients in order to ensure the independence of CPAs for doing audits.
Large businesses have one tool of internal control that is not practical for smaller businesses—internal auditors. Most large businesses, and for that matter most large nonprofit organizations and governmental units, have internal auditing departments. The internal auditors have broad powers to investigate any of the organization’s operations and activities, and they report their findings to the highest levels in the organization. Small businesses cannot afford to hire a full-time internal auditor. But even a relatively small business should consider hiring a CPA to do an assessment of its internal controls and to make suggestions for improvement. In fact, this might even be of more value than having a CPA audit its financial statements.
Every business should institute and enforce controls that are effective in preventing fraud. An ounce of prevention is worth a pound of cure. And a business needs many accounting controls to ensure that its financial records are accurate, timely, and complete. Otherwise, its financial reports and tax returns may be seriously mistaken and misleading. The terms internal controls and internal accounting controls generally refer to both antifraud controls and antiaccounting error controls. Nevertheless, it’s useful to keep in mind the difference between controls designed primarily to stop fraud [such as employee theft] and procedures designed to prevent errors creeping into the accounting system.