Sunday, November 29, 2009

Should Fraud be Reported to the Police

When developing a Fraud Control Policy an important part of that plan is a clear statement as to whether fraud that has been discovered will be reported to the Police. A number of issues need to be considered in making this decision:

  • In some jurisdictions, it is required by law that any serious offence is report to the Police. An organisation needs to understand if such a requirement is in place in their jurisdiction;
  • If an organisation does not report the matter to Police, the organisation needs to consider what message this send to other employees and volunteers;
  • If an organisation does not report the matter to Police, will the person committing the fraud go on to another employer and commit fraud there?;
  • By reporting the matter to Police, the organisation needs to consider if it is likely that the fraud will be reported in the media as it goes through the Court process and the potential damage this could cause the organisation;
  • The organisation’s insurance policy may require the fraud to be reported to the Police.

Sunday, November 22, 2009

Cheque Fraud

Cheque fraud can easily occur and can cost an organisation significant amounts if appropriate controls are not in place.

Cheque fraud can occur in a number of ways:
  • Using false invoices to have a cheque paid in favour of the false business;
  • Changing a legitimate cheque (payee and amount) without having authority to do so;
  • The theft of cheques and the use of those cheques at a later time;
  • Duplication of cheques, especially if they are preprinted by the company;
  • Depositing a cheque into another account without authority.

To prevent cheque fraud, there are a number of possible controls:

  • Reconcile the bank account on a regular basis;
  • Never sign blank cheques. Only sign cheques when details have been completed and there is documentation supporting the payment;
  • Limit the number of signatories on the account and remove signatories when they are no longer required;
  • Ensure that cheques require at least two signatories;
  • Keep all cheques in a safe place to deter theft;
  • Avoid the use of acronyms when completing the Payee;
  • If you are expecting more cheques and they have not arrived, contact the bank and cancel them.

Sunday, November 15, 2009

Using Imprest Accounts

If you operate at a number of different locations or have a number of branches, the use of imprest accounts may be a good solution.

An imprest account is used on the following basis:
  • A set bank account balance (set depending on the spending requirements of the location / branch and on the regularity of the reimbursement (eg. weekly, monthly));
  • Deposits are made to the organisations general account and not the imprest account;
  • A reconciliation of the imprest account is conducted when a reimbursement is required;
  • Signatories to the imprest account are usually people located at the location / branch for ease of use of the account.

The use of an imprest account reduces the risk of fraud as it reduces the possible spending people at the location / branch can undertake.

The imprest account system allows locations / branches to have some autonomy while still being restricted in the amount they can spend and still providing regular support for the expenditure they undertake.

Sunday, November 8, 2009

Travel Expenses

How do you control expenses spent by employees while travelling on work related trips? There are a few options which can be considered, each with their own benefits and risks.

Per Diems

These allow an organisation to reduce paperwork if they have a number of employees and volunteers travelling. A per diem is an allowance which can be easily set by referring to meal allowances as set by the relevant federal government. In Australia, this is set by the Australian Tax Office. If the employee spends more, it will be at their own personal cost. However, if they spend less they keep the amount they did not spend.

The benefit to the organisation is that it knows exactly how much it will spend and has a reduced level of paperwork. The potential cost to the organisation is that the employee spends less and therefore the organisation overpays the employee.

Full reimbursement of costs

In this situation, employees need to provide receipts for all meals and other costs incurred. However, the organisation needs to clearly set out what is and is not acceptable expenditure. For example, no alcohol, no mini bar in the hotel room. If a number of employees and volunteers travel frequently, the administration of this system can out way the benefits of only reimbursing the actual costs incurred. Also employees can spend more than they would under the per diem system because it’s “on the boss” or the organisation is paying for it. The other concern is that receipts are obtained by the employee where these costs are not actually incurred and reimbursement made.

Both systems have advantages and disadvantages. Whichever system is used, there needs to be a clear policy developed for when employees and volunteers are travelling on business.

Sunday, November 1, 2009

Internet Fraud

I am surprised with the number of phishing emails that still arrive in my Inbox every week – most supposedly from banks which I don’t even have a bank account with. But the concerning aspect is that people still fall for the email and click the link, ending up giving their contact details.

So how do people get our information over the internet.

Phishing requires that a person provides their information. It is often via the email process we all see. An email is received from what appears to be a legitimate company (in many instances a bank). The emails advise you of some issue – the bank has had a security upgrade for example – and they need you to verify your information. You click the link and are taken to a web page that looks almost identical to the company you have been dealing with. There you put in your username and login and the hackers have your information.

A Trojan is malware. It is used by a hacker to obtain unauthorised access to the user’s computer system. Trojans are designed to give hackers remote access to the users computer and give them the ability to perform the same functions the user can.

Key logging programs do as the name suggests. The program allows for each key stroke entered by the user is recorded by the program. These programs are used frequently to obtain a persons username and password for internet banking.

No matter what the issue, the preventative measures are the same. Here are some examples:

  • Have appropriate firewalls on computer systems;
  • Have up-to-date virus checking software and regularly check for updates to it;
  • Use a strong password and change it regularly;
  • If it seems to good to be true – it probably is - for example never give your password to anyone;
  • Use security tokens or similar for internet banking.