At multinational corporations, teams of auditors, working alongside sophisticated artificial intelligence systems, monitor every financial transaction going in and out of a company, looking for patterns that could indicate illicit or fraudulent activity.
Most businesses don’t have access to those kinds of resources. However, that doesn’t mean that you’re helpless to stop misbehavior and protect your finances. There are a few basic principles to keep in mind as you assess fraud risk in your business.
Unfortunately, there are no one-size-fits-all rules to prevent fraud. “You’ve got to understand what your product is and how money can actually leave your organization,” explains Chris Slama, SVP of Enterprise Fraud Risk Management & Employee Fraud Detection at U.S. Bank. “Fraud can occur in any type of company, making any kind of product.”
Certain kinds of businesses, such as retailers or restaurants, might have to worry about employees skimming cash. In other kinds of businesses, the concern might be invoicing scams, travel and expense reporting, or even workman’s compensation fraud in an environment such as a manufacturer. Professional services businesses have valuable intellectual property, and most businesses nowadays have at least some customer data that could be exploited. Think creatively about where you might be exposed.
Slama encourages small businesses to think about the fraud triangle, which explains the three factors that occur simultaneously when an employee commits fraud: they have a motivation, they have the opportunity, and they rationalize their actions.
For example, in a restaurant or bar, opportunity exists for any staff member who deals with cash. Slama explains how to think about the issue in this setting: “If there’s just money on the table, you have to think—how much financial pressure are those staff under? Might they rationalize skimming some off if they feel overworked, or underpaid?”
Of course, even if you are regularly auditing your finances and monitoring activity, how can you actually know that your program is effective? For Slama, the key metric is false positives, or the number of transactions you investigate or flag that aren’t actually problematic. “If the vast majority of instances you’re looking at are false positives, then you’re wasting your time,” he explains. “Optimize your monitoring. Make sure time is well-spent.”
Companies should also take time to reassess their audit framework at least on an annual basis. If you have begun employing new technologies, or hired new kinds of employees, assess whether they bring you new kinds of exposure that ought to be monitored.
Having many employees does not mean you are automatically more exposed. “Some companies simply don’t have many people with the access or opportunity to conduct fraud,” Slama notes. A manufacturer may have hundreds of employees, but if most of them work specialized jobs and never access financials, they aren’t a risk.
By contrast, Slama cautions, “Anytime money is moving, you need to beware, especially when there is limited access to key information by a small number of people.” Having few people who can move money seems like a safeguard, but even trusted employees can find themselves exposed to pressure and rationalizing misbehavior. Though it can feel cliché, “Trust but verify,” is especially true if close friends or family members hold key financial roles.
As you begin to think more seriously about where your business is at risk of fraud and how you can best monitor for it, consider consulting the resources offered by the Association of Certified Fraud Examiners’ website, which features more on the fraud triangle, the five basic fraud risk management principles, and more.