Accounting On Us
Planning for the worst
Jessica Moulder, CPA, CFE
Fraud can occur in any organization, and as someone who has worked closely with multiple companies of all shapes and sizes for more than a decade in public accounting, I’ve tried to stress all of these things to my clients: fraud happens. It inevitably will happen in your organization on some level at one time or another and the best thing you can do to prevent it is actually to prepare for it. Consider the areas within your organization that are vulnerable to fraud, and figure out how to implement controls to mitigate those risks. Revisit those controls regularly – anytime you have a change in your operations or in your staffing assignments – and adjust accordingly. Make sure you set the right tone at the top so that you have a culture of high ethics that tells your employees fraud won’t be tolerated in your organization. Teach your employees that it’s safe to report suspected fraud, and make sure you communicate to them exactly how they can do that through an open door policy, a whistleblower hotline, etc.
Get a game plan
Even an organization that has done all of those very important steps is still at risk, so you need to prepare for the moment that anyone would dread… when you actively suspect fraud in your operations. To do that, you need a fraud response plan, which can be part of your overall fraud policy. Don’t wait until a fraud occurs to decide how you’ll handle it. You’ll be filled with thoughts of “shoulda coulda woulda,” but it’s too late for that. Your game plan is more important than ever. The days immediately following a discovery like this will likely be a very emotional, confusing and uncertain time, so it’s very important to act thoughtfully and with purpose. A fraud response plan can ensure you do just that.
First things first: You MUST respond to all suspected acts of fraud, and your plan should explicitly state that. It sounds so obvious, but there are actually many instances of fraud going unreported and even unaddressed. Sometimes people struggle to confront someone who is acting inappropriately, or they want to believe the best in the people they trust. They hope by letting something slide, turning their head the other way or offering a second chance, the situation will resolve itself. However, this couldn’t be further from the truth, and acting passively (or not acting at all) only increases your organization’s risk of continued fraud in the future. Always remember that there’s no such thing as a small fraud. There are only big frauds caught and addressed early.
So now that we’ve affirmed that you need to act, you certainly don’t need to act alone. You definitely need help, and you don’t want to add to a crisis by making inadvertent missteps. There are so many considerations to be made given the legal, accounting and insurance issues you’ll be facing. The first step in your fraud response plan should outline who should contact your attorney, your CPA and your insurance company for guidance and assistance. Of course, you should follow their specific advice closely, but here are some common steps you’ll likely need to take – all of which should be documented in your plan.
Stay calm. You might be tempted to respond immediately by confronting the suspected fraudster – ever heard of the heat of the moment? However, that is honestly the worst thing you could do. You will undoubtedly benefit more from protecting and gathering important information, keeping certain evidence intact and backing up your systems before the fraudster suspects you’re on to him or her (which can cause them to start trying to cover their tracks.) Consider the old adage “You don’t know what you don’t know.” You might have stumbled onto blatant fraudulent activity – perhaps related to the area of payroll processing – but what if that person is also running a fraudulent billing scheme or skimming cash that hasn’t been uncovered yet? The more information you have to work with, the better off you’ll be. On the other side of the coin, you definitely don’t want to falsely accuse someone of fraud, so you’ve got to work with legal counsel to get all of your ducks in a row before you act.
Keep the matter confidential – especially in the beginning. Make sure the plan defines who should be informed of the suspected fraud, but also how the matter should be treated confidentially. You might be tempted to confide in fellow co-workers, especially those in trusted positions. However, you should remember that almost all fraud is perpetrated by people in trusted positions. What if you have a more systemic problem, or what if collusion is involved in the fraud scheme? Until you better understand the extent the fraud scheme involves, the less people you tip off the better.
Try to take careful notes of all observations and actions following the fraud discovery. You might be confident that you’ll remember everything exactly as it’s happening, but anything worth noting mentally is more effective when it’s in writing. This includes dates, times, names of individuals involved and specific details about conversations that took place.
Identify all of the documents and potential evidence you might need and store them in a secure place. This might include invoices, contracts, checks, timecards, payroll registers, banking or credit card statements and activities, and even computers. As tempting as it might be to access the suspect’s email and other electronic files, this should only be done under the direction of your legal team to maintain the integrity of the files.
Look for the silver lining
I don’t mean to make light of how devastating fraud can be to an organization’s operations, financial situation and employee morale, but you have to use the situation to the betterment of the organization as much as possible. Earlier I mentioned that there wasn’t much value in “shoulda coulda woulda,” but once you’ve properly addressed the current fraud situation, it’s not a bad idea to spend some time thinking that way now. Revisit how this fraud was allowed to happen and re-design internal controls to prevent reoccurrences. Think about what you would have done differently if you had to do it all over again, and then do those things now because detecting and preventing fraud is an ongoing process. If you do that, you’ll be in a better position to identify and respond to fraud threats in your organization.