Sunday, August 30, 2009

Make sure employees take holidays

One of the common methods of detecting fraud is when the employee is away and another person undertakes their responsibilities. Some tips in relation to detecting fraud by making people take their holidays include:

  • Have a policy that requires employees to take at least part of the annual leave / holidays each year;
  • Have employees trained in other rolls;
  • When an employee takes leave / holidays, another employee should step into the roll;
  • If an employee, while on leave, comes into the office “just to get a few things up to date”, question the need for them to be there and what they are doing;
  • Determine if an employee on leave needs access to the organisations systems (including banking) – if not, deactivate access while they are away.

Sunday, August 23, 2009

Be Aware of Skimming

Skimming is the theft of funds before they are recorded in the records of an organisation. Skimming does not only involve the theft of cash however. It may be the theft of cheques or other types of payments, although cash is the most common.

Examples of skimming include:

  • A sporting club running a food stall – a person working at the stall puts cash from the sales of the food in his or her pocket rather than in the cash tin. At the end of the day, only the cash that has been placed in the cash tin is counted, recorded in the accounting records as income and subsequently banked;
  • As cheques are received into the organisation, an accounts clerk takes the cheques and banks them into a bank account opened in a similar name. From that account the clerk can divert funds to any account;
  • Selling items through a shop run by the organisation, the person does not “ring up” the sale but puts the money in the cash register in front of the customer. When the customer leaves, the person takes the cash out of the cash register.

Skimming can be difficult to discover and also to investigate.

Here are some ideas that may help prevent skimming:

  • Rotate duties. This can be hard when you rely on volunteers (eg. At sporting events or at shops). Rotate the person who takes the cash, rotate the volunteers between shops or stalls or on a reasonably regular basis have someone else undertake the role and compare takings.
  • Conduct reconciliations. For example, a reconciliation may be undertaken of the cash received from a food stall (eg. To determine the number of hamburgers that were sold) to the amount of stock used.
  • As a specific example, for food stalls use tickets. A cashier receives the cash and hands the person a ticket (eg. a blue ticket for a hamburger, red ticket for a hotdog). When the item is cooked, the customer hands over the ticket to the person preparing to food who places the ticket into a box which is locked (with opening on the top for the tickets). At the end of the day, two people who have not worked on the stall count up the cash and the tickets – they should reconcile.

Sunday, August 16, 2009

Take regular computer back ups

This may seem like a common sense statement to make, but unfortunately many organisations do not take back ups of their computer data, or if they do, the back up sits next to the computer which means it would also be damaged, destroyed if a fire occurred or could also be stolen if the organisation was broken into.

There are a number of alternatives for how to appropriately store computer backups, but you need to investigate the options thoroughly.

For example, I was reviewing procedures for an educational facility and found that the IT manager was taking backups home. Unfortunately these backups held information on students and could fall into the wrong hands if the manager’s house was broken into.

Another example, if for small organisations such as sporting clubs which may have the treasurer maintain the accounting records from home. The club needs to determine the best option for maintaining the back up of data. This may be to have one or two other members of the board keep regular back ups in their home safes.

For larger organisations, a safe deposit box at a bank is always a good option.

Other options exist. For example, if you already have an offsite storage facility for your paper records, this may also entitle you to safely store your electronic back ups. You should investigate such options with your provider. However other back up facilities such as online back ups, but these should be investigated thoroughly. For example, who else has access to your information if you are using an online back up service?

Back ups are not just a function of disaster recovery. As an organisation, records need to be maintained for a set period of time (eg. Five years), you should ensure you have a back up methodology that allows you to recover records for that period. This does not mean you have to keep every back up. For example, you may want to keep monthly, quarterly or yearly back ups.

But how does this relate to fraud? There are a few issues:

  • Back ups can show how, over a period of time, a person has hidden the fraud they have committed;
  • Back ups may be the only way to restore records after the fraudster has decided to destroy any evidence they believe may incriminate them;
  • Back ups of programs other than the accounting program (eg emails) can provide a lot of useful information to the investigation such as who the perpetrator has had contact with (eg. Discussions with a real estate agent about purchasing property which may be able to be recovered);
  • If the fraud is referred to law enforcement, back ups may be required as evidence.

Sunday, August 9, 2009

Conflicts of interest

A conflict of interest involves a conflict between a person’s duty and the persons own personal or private interests. A conflict of interest can be an actual conflict or can be perceived or a potential conflict.

A conflict of interest is not necessarily unethical or wrong. However, it is how the conflict is identified and dealt with that is important.

An example of a potential conflict of interest is a board member’s family computer company being given the contract to supply the organisation with new computers and file server. The conflict would not be handled properly if the board member did not advise the board of his interest in the computer company and arranged for no other quotes to be obtained. The conflict would be handled appropriately if the board member advised the rest of the board of his interest in the computer company and whenever the potential contract was discussed and the contract awarded, the board member removed himself from the discussions.

So what should be done to avoid conflicts of interest?

  • A conflict of interest register should be maintained and should be completed by all board members for any potential conflicts of interest;
  • If a conflict of interest arises or potentially arises, the board needs to be advised immediately;
  • Any discussions or other dealings with the issue that resulted in the conflict of interest should exclude that board member, including not being provided any documents such a board papers or copies of tenders received relating to the matter;
  • Do not be involved in any discussions regarding the issues, including leaving the room during any board meetings when the matter is discussed;
  • Do not place yourself in a position that may result in a conflict of interest, eg. accepting a gift from a supplier or contractor or being able to use confidential information for personal gain.

Sunday, August 2, 2009

The Need to Change Passwords

A friend of mine, Micheal, provided a good example of when things can go wrong with passwords. Micheal's comments to last weeks newsletter was:

I had a client where 13 people knew the super-user password to the timesheets application - which fed timesheet data to the payroll program. It had just happened that way over time as people got lax.

Needless to say everyone took advantage of the opportunity to their benefit...

It is important that as people move from position to position within the organisation, their roles are reviewed which includes what systems they should have access to and what passwords they have ability to use. Master passwords should be changed when people who have had access to those passwords change positions or unfortunately, the above may happen.