Often we are asked to help our customers with fraud issues - sometimes in that proactive situation..... sometimes the ambulance at the bottom of the cliff hunting back through transactions for evidence for prosecution.
As a company grows, often your are required to introduce audit controls by your board or shareholders. This approach can be viewed as the "annual challenge" to see how quickly you can get the auditors out of your hair, or it can be looked upon proactively as and opportunity to demonstrate how well you have your house in order.
Having worked through many systems and procedure audits at central and local government plus in highly accountable private organisations we have seen a lot of different methods for review of how these organisations are keeping on top of potential employee fraud. Many do not have regular checks other than the annual audit and many do not have push/exception based notification of any breaches of policies.
Often what is audited (when you're forced to be audited) are the simple things, like password policies, large transactions getting appropriate evidenced approvals etc. What is often overlooked are things like.:
- excessive supply ordering for kickbacks or pocketing excess stock
- stock write offs / stock counting
- new supplier agreements (suppliers are often keen to woo new customers with some freebies)
- ANYTHING where cash is handled
- changes in payment terms
- updates to supplier bank accounts
- who can issue credits?
- access to prepaid postage or courier packs
- who locks up the premises?
In the D!gitalist Magazine, they suggest that one of the key risk areas is Supplier/Employee relationships. (Read it here).
With significant fraud it may be a lone employee or even an owner, however its also common to see groups of employees developing "its ok to take one...", or "they've got plenty.." attitudes. Each one of these transactions that is not disclosed is hurting your business.... and do you really know what the volume or value of these non-disclosed transactions is? The figures in the article suggest lone employees will do damage, but often collusion of multiple employees - maybe just skimming - is really hurting business.
There are a mountain of things you can track and attempt to monitor. Maybe you're ok because you'd know if you were loosing a lot? But what is the cost of the skimming that's being done? $10...$100's.... $1000's or more? over how many years..? But how do you get your organisation in order..... (and actually keep running the business)?
There are some basic starting points......