On June 17, Sharkansky hosted a Business Perspectives event focused on fraud prevention, cyber security and internal controls. Jay Pike, CPA, Partner, Sharkansky moderated our panel, whose members included:
- Stacey Coyne, VP Cash Management, Rockland Trust
- Gary Sutherland, CEO, NAPLIA
- Mitzi Hollenbeck, CPA, Sharkansky (December 2016 update: Mitzi is no longer employed by Sharkansky)
- Konrad Martin, President & CEO, Tech Advisors, Inc.
Here is an overview of the event for those who were not able to attend.
Jay – Welcome, everyone. It’s a remarkable world we live in today. We need to worry about hackers from
halfway across the world, the guy across the parking lot, and sometimes even our own employees. What do you have on your mind that you want to share with our audience today?
Mitzi – Downturns in the economy have a positive correlation with employee fraud. Internal controls can help prevent this with your company. “There is no such thing as a small fraud. There are only large frauds that were caught early.”
Gary – Cyber policies have been around for about a decade and have gotten more complex and
comprehensive in coverage over that time. Vigilance with concern for your company’s internal securities is critical.
Stacey – Think about fraud before it happens.
Q1: What are the first person vs. third person exposures and threats?
Gary – First person exposure is the cost to the company to fix the fraud and report the event to clients and the government. It is substantial. First party fraud is a bigger risk for small companies. Forty percent of small businesses that operate without the proper insurance coverage will go out of business due to the costs related to a significant security breach. Third party costs are allegations from other parties that they suffered because of the fraud related to your company.
Konrad – In the case of a data breach, your hard costs will be about $150 – $200 per lost/stolen record plus the bad publicity and lawsuits. Protect your business with IT and insurance written plans as required by the Massachusetts Data Protection Law (201 CMR 17).
Q2: What are the biggest threats facing businesses today?
Konrad – Cryptolocker is a common issue today. This is a scheme in which your computer remotely is locked and ransom is demanded to unlock it. Proper backups and images of servers can overwrite the locked machine. You may think you’re not a target as a small business, but since most small companies have less security than national or multi-nationals, you should really be even more careful.
Q3: What happens if it’s employees who cause the problem?
Konrad – One of the most overlooked areas of cybercrime is the fact that employees can intentionally or unintentionally misuse data. Malicious behavior by disgruntled employees can be very harmful. New employees need to be given an employee handbook and WISP when hired. Signatures should be collected on both. You need to demonstrate compliance at all levels for insurance reasons.
Gary – Forty percent of breaches are caused by employees. Insurance carriers don’t like to pay these claims so there are carve-outs in many policies. Also, policies often don’t cover owners or IT directors. Also, watch out for the substitution rule – which states that anyone acting in the capacity of an owner or IT professional is not covered.
Q4: Is it safe to keep company data in the Cloud?
Konrad – Accessing the data from the Cloud can be risky. There are issues around who owns the data in the Cloud – the company that puts it up there or the company that owns the server. Legislation is being debated now on this issue.
Gary – Read your Cloud contract carefully. Do your due diligence. Insurance may not cover the other companies that got hurt by your breach, but you may be responsible for that. Intentional employee breaches are the biggest risk.
Q5: What about banking risk?
Stacey – Regularly review who has access to your banking system and give access to the fewest number of people possible. Set alerts for unusual types of activity like the number of transactions in a day or the dollar amount of transactions per employee. Get a text message daily with your balance so you always have an idea of what activity is happening. Put controls in place for ACH and wire transfers. For cyber issues, having layers of protection is important including anti-virus protection and bank malware protection. Internal controls can include having a separate computer for online banking not to be the one you use for social media or personal email.
Q6: Checks, corporate cards, and employee theft.
Mitzi – Someone who wants to steal will figure out what’s not looked for. Internal control failures can allow for someone to pay their own credit card through A/P. Check fraud can be as simple as someone in A/P writing a check in his/her own name. It’s important to implement structure with segregation of duties. For instance, have one person write checks, a second person sign checks, and third person reconcile the bank account at the end of the month. Small companies should do spot checks of checks and invoices. Credit card payments should be verified against the bill. Petty cash can be a small frequent leak.
Q7: Can you share any war stories?
Gary – The profile of the person most likely to commit employee fraud is someone over 60 who has been with your company for a long time. The theory is that they have a sense of entitlement for long service and dedication. The monetary value of the theft is likely to range from the tens or hundreds of thousands of dollars. Another common profile is the owner/partner, in which case the theft will likely be in the millions.
Konrad – Email accounts can be hacked, so if you get a request from a client for a sensitive or important transaction, verify with the client over the phone even though it takes an extra minute.
Q8: What about wire transfers and ACH?
Stacey – Implement dual control for transfers so that people know their actions are being watched. Have a second person verify the ACH account number. Have a separate account for receiving ACH or wire transfers so that when you are giving your account information to outside organizations, it’s not your operating account in case of fraud.
Q9: What is a WISP and why does my company need one?
Konrad – WISP stands for Written Information Security Protocol. If you hold personal identifiable information for a MA resident, you are required to comply with 201 CMR 17 which covers where personal identifiable information is held and how it will be protected. If your business deals with HIPPA, that adds an additional layer of issues. A WISP aims to prevent a breach, not just direct behavior after a breach.
Mitzi – Written policies and procedures for internal controls create a culture of honesty. Enforcement and review prevents fraud. It’s important to create an employee reimbursement policy that describes what is a valid charge and what is not. Without a policy, each employee invents their own definition and then it’s hard to corral later.
Gary – Think about the letter you’re going to have to write to clients about a data compromise at your company. There are two types – “We had a breach and there’s not much we can do for you, so call your bank.” This letter is not well received. Or “We take your information seriously. These are all the things we do to protect your data (vulnerability testing, penetration testing, employee training, etc.) but something has happened.” This letter is better received. You can actually send a letter in advance of a breach just to let clients know about the good protections you have… after a WISP review.
Q10: If a company only has one bookkeeper, how can it detect fraud?
Mitzi – Cash flow is an important and easy review. If profit doesn’t turn to cash, it’s a red flag. It could be a revenue recognition issue or bad debt or theft. As the business owner, you should be the first person to look at a bank statement each month. Don’t rely on the accounting/bookkeeping system alone. Someone who can set up a vendor in the bookkeeping system can pay anyone they want and it may not be caught for a while if it looks like something related to a business expense. The possibility of detection can be enough to keep things on the up and up. CPA firms can do a sample of checks and expenses for authorized payments to legitimate vendors.
Q11: What role does that annual audit play?
Mitzi – Audits are not designed to detect fraud. If the CPA firm detects fraud it will be brought to the attention of the owner. Separate engagements for internal reviews will do a deeper review of processes and specific events.
Q12: How can a company catch fraud?
Stacey – Banks have tools for fraud prevention. Positive Pay is one option. Eighty-one percent of users felt it helped them prevent check fraud (the #1 fraud). Daily reconciliation of bank accounts is another option. Seventy-eight percent of users thought this was helpful. Look at check images on online banking. Remote deposit prevents an employee from leaving the office with un-deposited checks.
If you have questions about fraud prevention, internal controls, or cyber security, please contact Jay Pike.