Small Business - Big Risks
Fraud Controls Lacking at Organizations with Fewer
than 100 Employees
Small businesses are significantly more likely than their larger counterparts to neglect instituting basic
antifraud controls that could save them from costly losses, a recent worldwide survey shows.
Organizations with fewer than 100 employees were significantly outpaced by larger organizations in every
fraud control measured in the Association of Certified Fraud Examiners (ACFE) 2012 Report to the
Nations on Occupational Fraud and Abuse, which was released in May. The ACFE’s global fraud study
found:




Just 56% of organizations with fewer than 100 employees represented in the survey underwent
external audits of their financial statements, compared with 91% of businesses with 100 or more
employees.
Employees received fraud training at just 18.5% of small organizations in the survey, compared
with almost six in 10 larger organizations.
Management certification of the financial statement occurred at 43% of small organizations in the
survey, compared with 81% of larger ones.
Formal codes of conduct existed at just 50% of organizations with fewer than 100 employees in
the survey, compared with 90% of organizations with 100 or more employees.
“The percentage of small organizations that have formal controls in place is just so dwarfed by the large
organizations,” Andi McNeal, CPA, the ACFE’s director of research, said. “And we noticed a real
opportunity for small organizations to invest in simple measures, even a code of conduct, which frankly
shouldn’t cost more than a handful of hours of employees’ time.”
The ACFE Report to the Nations was one of two studies released in May that provided substantial
perspective on fraud. The AICPA’s 2011 Forensic and Valuation Services (FVS) Trend Survey found that
demand for tech-savvy forensic and valuation CPAs is soaring as computers play an increased role in
fraud.
VALUE IN VIGILANCE
In the ACFE study, available at acfe.com, businesses with fewer than 100 employees often lacked formal
controls and were shown to be three times more likely than their larger counterparts to discover instances
of fraud by accident. Smaller businesses were almost twice as likely to discover fraud when notified by
police and were not nearly as likely to uncover fraud through an internal audit.
In the online survey completed by 1,388 Certified Fraud Examiners (CFEs) in late 2011, the ACFE asked
respondents to provide a detailed narrative of the largest occupational fraud case they had investigated
and completed since January 2010. The results of these fraud cases were used to compile the survey
and illustrate a point championed by internal control advocates.
Larry Rittenberg, CPA, the former chairman of the Committee of Sponsoring Organizations of the
Treadway Commission (COSO), said small businesses need effective internal controls just as larger
businesses do. He said small businesses start with great entrepreneurs who have good ideas and create
useful products. The reason many of them fail, he said, is that they don’t develop financial discipline.
“Good internal control is good business,” said Rittenberg, an emeritus professor of accounting at the
University of Wisconsin. “That’s why you have internal control. And there’s always the link. You’ve got
risk. And controls are there to mitigate those risks. And some of them can be done at pretty low cost.”
McNeal said it’s more cost-effective, directly and indirectly, to invest in fraud prevention measures than to
wait and spend the money on detection, investigation, and trying to recover losses a business might
suffer. She said that, anecdotally, the ACFE repeatedly hears about small businesses being shuttered
because of fraud by their employees.
A fraud that costs $100,000 can sink a small business, McNeal said, and frauds of that size are not
unusual. The median loss caused by the occupational fraud cases in the ACFE survey was $140,000,
and more than one-fifth of the cases caused losses of at least $1 million. The presence of antifraud
controls correlated with significant decreases in the cost and duration of fraud, the survey found.
Considerably lower losses and time to detection were reported at organizations that had implemented any
of 16 common antifraud controls (see Exhibit 1 below).
Organizations with job rotation and mandatory vacation policies, for example, had a 63% reduction in the
average duration of fraud before detection. Job rotation policies require employees to regularly switch
duties, enabling co-workers to identify errors or unethical behavior. Mandatory vacation policies require
employees to leave their positions long enough for a co-worker to fulfill their duties, which can lead to
discovery of irregularities.
“If they invest in any kind of antifraud training program, it doesn’t have to cost a lot of money, but it can be
an extremely effective fraud prevention tool and fraud detection tool,” McNeal said, “and if done properly it
can save an organization lots of resources both in the short and the long run.”
The Report to the Nations says antifraud measures such as a code of conduct, employee training
programs, and formal management review of controls and processes can be implemented at marginal
costs in many small organizations and can significantly increase prevention and detection of fraud. The
cost of instituting codes of conduct and management review of controls and processes can be essentially
limited to the expense required for the labor to implement them.
A code of conduct is an inexpensive control that can help management set the bar for employee
standards, McNeal said.
“This is one area where management can really send a signal that, ‘Hey, this is important to us. We want
a culture of honesty and integrity. We want to make ethics a priority,’ ” she said.
Exhibit 1: Antifraud controls lag at small businesses
Small businesses whose frauds were reported in an online survey of 1,388 Certified Fraud Examiners
conducted late in 2011 significantly trailed their larger counterparts in frequency of antifraud controls,
according to the 2012 Report to the Nations on Occupational Fraud and Abuse by the Association of
Certified Fraud Examiners (ACFE).
FORENSIC SERVICES IN DEMAND
The AICPA study showed that fraud is likely to remain a significant concern for the foreseeable future.
Seventy-nine percent of forensic and valuation CPAs said they expect greater demand for services in the
next two to five years, according to the report, which is available at tinyurl.com/88eyj9r. More than half of
respondents said they would hire employees to handle computer forensic investigations; 83% expect
more demand in this area in the next two to five years.
Steve Howe, the Americas area managing partner for Ernst & Young, said forensic investigation is one of
the public accounting service lines that will be in greater demand in the near future. He said the
significance of emerging markets, the Foreign Corrupt Practices Act, and investor concerns all play roles
in that increasing demand.
“I think the market is going to need more from all of us there,” he said during a panel discussion in May
with leaders from seven other large public accounting firms at the AICPA spring Council meeting.
Robert Harris, CPA/CFF, CGMA, who chairs the AICPA’s 2012 Certified in Financial Forensics (CFF)
Credential Committee, said he is seeing much more fraud related to computers and people circumventing
software to hide disbursements to themselves. He said employees with smartphones are essentially
running around with minicomputers in their hands and logging in to networks that are not legitimate. He
said passwords then get stolen, and accounts and information get compromised. Harris advises users not
to log in to networks they don’t recognize, and not to open emails unless they are sure they know who
sent them.
“Just because they have your email address, don’t assume it’s somebody that knows you or it is a
legitimate site,” he said. “And look really carefully, because the amount of phishing that goes on, using
banks, airlines’ names, brokerage houses, is huge.”
Stay on top of regulatory changes
Aside from attracting and retaining qualified staff, keeping abreast of regulatory changes was rated as the
most challenging issue forensic professionals will face in the next two to five years in The 2011 Forensic
and Valuation Services (FVS) Trend Survey. The report, available at tinyurl.com/88eyj9r, provides best
practices for keeping up with regulatory changes:
Leverage technology. Much relevant information can be found on websites of regulatory bodies. Free
and paid sites offer advice, articles, white papers, and other guidance.
Assign responsibility. Divide and conquer by assigning specific individuals the task of updating and
maintaining institutional knowledge of new regulations, although everyone should be kept abreast of the
general rules.
Be social. Attend conferences and presentations, or participate in webinars.
Subscribe. Key periodicals are a good source of new laws.
Financial sector, revenue recognition require vigilance
Continued vigilance for occurrences of fraud is especially necessary in the financial sector, according to a
forecast in an AICPA survey.
Forensic and valuation CPAs anticipate investing entities and lending institutions to be the business
sectors with the most allegations of financial misrepresentation over the next two to five years, according
to the AICPA’s 2011 Forensic and Valuation Services (FVS) Trend Survey.
Twenty-five percent of FVS professionals said the most allegations would come from investing entities,
and 19% said financial misrepresentation would be most common in lending institutions. The full report is
available at tinyurl.com/88eyj9r.
Robert Harris, CPA/CFF, CGMA, chair of the AICPA’s 2012 Certified in Financial Forensics (CFF)
Credential Committee, said that overstatements in the financial sector often are accidental.
“When we were going through the financial crisis, we saw a market that was very thin—in other words,
there were so few investors—thus we were seeing values drop on many of these mortgage-backedsecurity portfolios,” he said. “And this makes it very hard to come up with a value. Many of the values
recorded that people felt were too high were not intentional. I think most people are trying to do their best
to record an accurate value, but it was hard to get values.”
Revenue recognition, which has a converged standard under development by FASB and the International
Accounting Standards Board, was identified as the most prevalent issue that will be encountered in
financial statement misrepresentation over the next two to five years. Thirty-six percent of forensic and
valuation CPA respondents identified revenue recognition as the top issue, and 32% said valuation of
assets carried at fair value would be the most prevalent concern.
In addition to polling forensic and valuation CPAs, the AICPA survey solicited feedback from CPA
decision-makers in business and industry, who identified the fraud issues they have faced. Frauds most
commonly reported by business and industry respondents were false payment requests, check and credit
card fraud, and theft by employees. Most financial statement misrepresentations involved overstatements
of accounts receivable, inventory, securities, or other assets.
Tips once again were found to be essential in detecting fraud in the Association of Certified Fraud
Examiners (ACFE) 2012 Report to the Nations on Occupational Fraud and Abuse, a global fraud study
released in May. Each ACFE report on occupational fraud and abuse since 2002 has identified tips as the
most common method of fraud detection.
As in the most recent previous Report to the Nations in 2010, management review and internal audit
ranked as the second- and third-most common methods of detection, but tips were almost three times as
common as either of those factors as an initial method of detection. Initial detection occurred via tip in
43% of the frauds in the survey.
The ACFE survey, available at acfe.com, found industries most commonly victimized by fraud were
banking and financial services, government and public administration, and manufacturing.
Asset misappropriation was the most common type of fraud found in the ACFE survey at 87% of cases
reported by respondents. But those cases were the least financially costly at a median loss of $120,000.
Conversely, while financial statement frauds remained relatively rare at 8% of the cases detailed by
respondents, they inflicted greater damage, with median losses of $1 million, the ACFE found.
For all geographic regions, corruption and billing schemes constituted more than 50% of the frauds
reported to the ACFE, making those types of schemes a worldwide risk.
EXECUTIVE SUMMARY
Organizations with fewer than 100 employees significantly trail their larger counterparts in the
implementation of formal antifraud controls, according to a worldwide survey by the Association of
Certified Fraud Examiners (ACFE). Antifraud experts say formal controls can help small businesses
prevent and detect instances of fraud that, left undiscovered, could lead to costly losses and possibly to
bankruptcy.
Antifraud controls don’t have to be expensive. Experts say instituting a formal code of conduct, having
management review processes and controls, and providing antifraud training to employees are costeffective ways to help small businesses with limited resources prevent fraud.
Fraud concerns don’t appear likely to abate. Seventy-nine percent of CPAs responding to the AICPA’s
2011 Forensic and Valuation Services (FVS) Trend Survey said they expect greater demand for services
over the next two to five years.
Computers and smartphones are particularly susceptible to fraudulent activity. Forensic and
valuation accountants expect a significant increase in hiring of computer forensics personnel in the next
two to five years, according to the FVS Trends report. Users of smartphones are seeing data
compromised when they log on to unfamiliar networks.
Ken Tysiac is a JofA senior editor. To comment on this article or to suggest an idea for another article,
contact him at ktysiac@aicpa.org or 919-402-2112.