Small Business - Big Risks Fraud Controls Lacking at Organizations with Fewer than 100 Employees Small businesses are significantly more likely than their larger counterparts to neglect instituting basic antifraud controls that could save them from costly losses, a recent worldwide survey shows. Organizations with fewer than 100 employees were significantly outpaced by larger organizations in every fraud control measured in the Association of Certified Fraud Examiners (ACFE) 2012 Report to the Nations on Occupational Fraud and Abuse, which was released in May. The ACFE’s global fraud study found: Just 56% of organizations with fewer than 100 employees represented in the survey underwent external audits of their financial statements, compared with 91% of businesses with 100 or more employees. Employees received fraud training at just 18.5% of small organizations in the survey, compared with almost six in 10 larger organizations. Management certification of the financial statement occurred at 43% of small organizations in the survey, compared with 81% of larger ones. Formal codes of conduct existed at just 50% of organizations with fewer than 100 employees in the survey, compared with 90% of organizations with 100 or more employees. “The percentage of small organizations that have formal controls in place is just so dwarfed by the large organizations,” Andi McNeal, CPA, the ACFE’s director of research, said. “And we noticed a real opportunity for small organizations to invest in simple measures, even a code of conduct, which frankly shouldn’t cost more than a handful of hours of employees’ time.” The ACFE Report to the Nations was one of two studies released in May that provided substantial perspective on fraud. The AICPA’s 2011 Forensic and Valuation Services (FVS) Trend Survey found that demand for tech-savvy forensic and valuation CPAs is soaring as computers play an increased role in fraud. VALUE IN VIGILANCE In the ACFE study, available at acfe.com, businesses with fewer than 100 employees often lacked formal controls and were shown to be three times more likely than their larger counterparts to discover instances of fraud by accident. Smaller businesses were almost twice as likely to discover fraud when notified by police and were not nearly as likely to uncover fraud through an internal audit. In the online survey completed by 1,388 Certified Fraud Examiners (CFEs) in late 2011, the ACFE asked respondents to provide a detailed narrative of the largest occupational fraud case they had investigated and completed since January 2010. The results of these fraud cases were used to compile the survey and illustrate a point championed by internal control advocates. Larry Rittenberg, CPA, the former chairman of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), said small businesses need effective internal controls just as larger businesses do. He said small businesses start with great entrepreneurs who have good ideas and create useful products. The reason many of them fail, he said, is that they don’t develop financial discipline. “Good internal control is good business,” said Rittenberg, an emeritus professor of accounting at the University of Wisconsin. “That’s why you have internal control. And there’s always the link. You’ve got risk. And controls are there to mitigate those risks. And some of them can be done at pretty low cost.” McNeal said it’s more cost-effective, directly and indirectly, to invest in fraud prevention measures than to wait and spend the money on detection, investigation, and trying to recover losses a business might suffer. She said that, anecdotally, the ACFE repeatedly hears about small businesses being shuttered because of fraud by their employees. A fraud that costs $100,000 can sink a small business, McNeal said, and frauds of that size are not unusual. The median loss caused by the occupational fraud cases in the ACFE survey was $140,000, and more than one-fifth of the cases caused losses of at least $1 million. The presence of antifraud controls correlated with significant decreases in the cost and duration of fraud, the survey found. Considerably lower losses and time to detection were reported at organizations that had implemented any of 16 common antifraud controls (see Exhibit 1 below). Organizations with job rotation and mandatory vacation policies, for example, had a 63% reduction in the average duration of fraud before detection. Job rotation policies require employees to regularly switch duties, enabling co-workers to identify errors or unethical behavior. Mandatory vacation policies require employees to leave their positions long enough for a co-worker to fulfill their duties, which can lead to discovery of irregularities. “If they invest in any kind of antifraud training program, it doesn’t have to cost a lot of money, but it can be an extremely effective fraud prevention tool and fraud detection tool,” McNeal said, “and if done properly it can save an organization lots of resources both in the short and the long run.” The Report to the Nations says antifraud measures such as a code of conduct, employee training programs, and formal management review of controls and processes can be implemented at marginal costs in many small organizations and can significantly increase prevention and detection of fraud. The cost of instituting codes of conduct and management review of controls and processes can be essentially limited to the expense required for the labor to implement them. A code of conduct is an inexpensive control that can help management set the bar for employee standards, McNeal said. “This is one area where management can really send a signal that, ‘Hey, this is important to us. We want a culture of honesty and integrity. We want to make ethics a priority,’ ” she said. Exhibit 1: Antifraud controls lag at small businesses Small businesses whose frauds were reported in an online survey of 1,388 Certified Fraud Examiners conducted late in 2011 significantly trailed their larger counterparts in frequency of antifraud controls, according to the 2012 Report to the Nations on Occupational Fraud and Abuse by the Association of Certified Fraud Examiners (ACFE). FORENSIC SERVICES IN DEMAND The AICPA study showed that fraud is likely to remain a significant concern for the foreseeable future. Seventy-nine percent of forensic and valuation CPAs said they expect greater demand for services in the next two to five years, according to the report, which is available at tinyurl.com/88eyj9r. More than half of respondents said they would hire employees to handle computer forensic investigations; 83% expect more demand in this area in the next two to five years. Steve Howe, the Americas area managing partner for Ernst & Young, said forensic investigation is one of the public accounting service lines that will be in greater demand in the near future. He said the significance of emerging markets, the Foreign Corrupt Practices Act, and investor concerns all play roles in that increasing demand. “I think the market is going to need more from all of us there,” he said during a panel discussion in May with leaders from seven other large public accounting firms at the AICPA spring Council meeting. Robert Harris, CPA/CFF, CGMA, who chairs the AICPA’s 2012 Certified in Financial Forensics (CFF) Credential Committee, said he is seeing much more fraud related to computers and people circumventing software to hide disbursements to themselves. He said employees with smartphones are essentially running around with minicomputers in their hands and logging in to networks that are not legitimate. He said passwords then get stolen, and accounts and information get compromised. Harris advises users not to log in to networks they don’t recognize, and not to open emails unless they are sure they know who sent them. “Just because they have your email address, don’t assume it’s somebody that knows you or it is a legitimate site,” he said. “And look really carefully, because the amount of phishing that goes on, using banks, airlines’ names, brokerage houses, is huge.” Stay on top of regulatory changes Aside from attracting and retaining qualified staff, keeping abreast of regulatory changes was rated as the most challenging issue forensic professionals will face in the next two to five years in The 2011 Forensic and Valuation Services (FVS) Trend Survey. The report, available at tinyurl.com/88eyj9r, provides best practices for keeping up with regulatory changes: Leverage technology. Much relevant information can be found on websites of regulatory bodies. Free and paid sites offer advice, articles, white papers, and other guidance. Assign responsibility. Divide and conquer by assigning specific individuals the task of updating and maintaining institutional knowledge of new regulations, although everyone should be kept abreast of the general rules. Be social. Attend conferences and presentations, or participate in webinars. Subscribe. Key periodicals are a good source of new laws. Financial sector, revenue recognition require vigilance Continued vigilance for occurrences of fraud is especially necessary in the financial sector, according to a forecast in an AICPA survey. Forensic and valuation CPAs anticipate investing entities and lending institutions to be the business sectors with the most allegations of financial misrepresentation over the next two to five years, according to the AICPA’s 2011 Forensic and Valuation Services (FVS) Trend Survey. Twenty-five percent of FVS professionals said the most allegations would come from investing entities, and 19% said financial misrepresentation would be most common in lending institutions. The full report is available at tinyurl.com/88eyj9r. Robert Harris, CPA/CFF, CGMA, chair of the AICPA’s 2012 Certified in Financial Forensics (CFF) Credential Committee, said that overstatements in the financial sector often are accidental. “When we were going through the financial crisis, we saw a market that was very thin—in other words, there were so few investors—thus we were seeing values drop on many of these mortgage-backedsecurity portfolios,” he said. “And this makes it very hard to come up with a value. Many of the values recorded that people felt were too high were not intentional. I think most people are trying to do their best to record an accurate value, but it was hard to get values.” Revenue recognition, which has a converged standard under development by FASB and the International Accounting Standards Board, was identified as the most prevalent issue that will be encountered in financial statement misrepresentation over the next two to five years. Thirty-six percent of forensic and valuation CPA respondents identified revenue recognition as the top issue, and 32% said valuation of assets carried at fair value would be the most prevalent concern. In addition to polling forensic and valuation CPAs, the AICPA survey solicited feedback from CPA decision-makers in business and industry, who identified the fraud issues they have faced. Frauds most commonly reported by business and industry respondents were false payment requests, check and credit card fraud, and theft by employees. Most financial statement misrepresentations involved overstatements of accounts receivable, inventory, securities, or other assets. Tips once again were found to be essential in detecting fraud in the Association of Certified Fraud Examiners (ACFE) 2012 Report to the Nations on Occupational Fraud and Abuse, a global fraud study released in May. Each ACFE report on occupational fraud and abuse since 2002 has identified tips as the most common method of fraud detection. As in the most recent previous Report to the Nations in 2010, management review and internal audit ranked as the second- and third-most common methods of detection, but tips were almost three times as common as either of those factors as an initial method of detection. Initial detection occurred via tip in 43% of the frauds in the survey. The ACFE survey, available at acfe.com, found industries most commonly victimized by fraud were banking and financial services, government and public administration, and manufacturing. Asset misappropriation was the most common type of fraud found in the ACFE survey at 87% of cases reported by respondents. But those cases were the least financially costly at a median loss of $120,000. Conversely, while financial statement frauds remained relatively rare at 8% of the cases detailed by respondents, they inflicted greater damage, with median losses of $1 million, the ACFE found. For all geographic regions, corruption and billing schemes constituted more than 50% of the frauds reported to the ACFE, making those types of schemes a worldwide risk. EXECUTIVE SUMMARY Organizations with fewer than 100 employees significantly trail their larger counterparts in the implementation of formal antifraud controls, according to a worldwide survey by the Association of Certified Fraud Examiners (ACFE). Antifraud experts say formal controls can help small businesses prevent and detect instances of fraud that, left undiscovered, could lead to costly losses and possibly to bankruptcy. Antifraud controls don’t have to be expensive. Experts say instituting a formal code of conduct, having management review processes and controls, and providing antifraud training to employees are costeffective ways to help small businesses with limited resources prevent fraud. Fraud concerns don’t appear likely to abate. Seventy-nine percent of CPAs responding to the AICPA’s 2011 Forensic and Valuation Services (FVS) Trend Survey said they expect greater demand for services over the next two to five years. Computers and smartphones are particularly susceptible to fraudulent activity. Forensic and valuation accountants expect a significant increase in hiring of computer forensics personnel in the next two to five years, according to the FVS Trends report. Users of smartphones are seeing data compromised when they log on to unfamiliar networks. Ken Tysiac is a JofA senior editor. To comment on this article or to suggest an idea for another article, contact him at ktysiac@aicpa.org or 919-402-2112.