As someone who has had the opportunity to participate in a variety of audits, both large and small, for- profit and not-for-profit, most organizations are concerned with employee fraud. Often during the course of auditing smaller organizations, I am asked by owners and management, “How can a small organization, such as ours, with limited resources and personnel, prevent and detect fraud?” Frequently, a simple and basic approach is overlooked.
A Code of Conduct should be adopted. An organization should establish a Code of Conduct that clearly spells out the guidelines for employee conduct and the repercussions for not following them. It is a statement that the organization will not tolerate unethical or illegal behavior. The Code of Conduct should be provided to everyone upon hire and require written acknowledgement that they have read, understand and agreed to comply with the policy. Periodically thereafter, the employees should be reminded of the Code of Conduct. This policy needs to apply to everyone (including management/owners) and enforced accordingly. If the Organization, treats employees with respect and compensates them fairly, they will have less motivation to commit fraud.
In small organizations, one or two people may perform many tasks such as opening mail, accepting payments, making deposits & payments, preparing invoices and filing transaction documents. This invites trouble. At a minimum, responsibilities should be established in which one person handles “what comes in” (cash, checks, merchandise, supplies) and another who handles “what goes out” (payments, orders, services.) Someone, other than the bookkeeper, should reconcile and process monthly bank and credit card statements. The person who reconciles the bank statement should not have the ability to enter or modify transactions in the accounting system. When this can’t be segregated, then management needs to review and approve; even when they are segregated management should monitor. Another way to restrain fraud is to have one person prepare and authorize payroll but have it entered by someone else. Again, management should review and monitor. And, let’s not forget to keep files locked up and enforce rigorous passwords for computer-system access, especially for departing employees.
What about employee’s behavior? If you notice something different – files have been misplaced; they don’t want assistance with a project; they’re giving a customer or vendor unwarranted attention; they are arriving before or staying later than everyone else – probe into it. Insist that all personnel take their vacation and stick to their regular business hours.
Establish key indicators and expectations. Pay attention to any inconsistencies or discrepancies. Go with your instincts, and recognize that no one knows your organization as well as you do. If something doesn’t seem right, scrutinize and investigate.
Terry Ann Wheeler, CPA,CGMA – Audit Manager