Controlling Embezzlement

"If you make it easy for people to steal from you, they will." (Frank Abagnale, Special Investigator to the FBI)

If you want to avoid being a victim of check fraud, use highly secure checks and Positive Pay. If you want to avoid being embezzled, institute tough internal barriers and conduct regular and thorough audits.

Embezzlement has ranked as America's number one financial crime for more than 30 years, and it will likely hold that distinction for years to come. Most embezzlement cases begin with an employee covering a small, short-term financial need with the intention to give the money back. Basic internal financial controls would have prevented or substantially reduced the opportunity for this to occur. Consider some of the better internal controls to deter embezzlement.

1. Review hiring procedures for permanent and temporary positions to keep people with questionable backgrounds out of your organization. Request and thoroughly check references, and pay particular attention to dates and time gaps in a resume. When filling positions in sensitive areas, consider hiring an outside firm to conduct complete background checks. When using temporaries in financial areas, have them bonded.

2. Protect the accounts payable and procurement functions by restricting access to the vendor master file records. Changing or adding new vendors should require supervisory approval and supporting documentation. Someone independent of the buying and payment processing functions should review all new supplier entries. The review should always include a telephone call to the new supplier, using a number obtained from an external directory source. Verify the name, address, and Federal tax ID number.

3. Prevent ghost employees and improperly altered pay rates by restricting access to the personnel master file records. As with the accounts payable function, adding new employees or changing pay rates should require supervisory approval and supporting documentation.

4. Create Audit Trails. Access to the master file records should be password protected and restricted by job function. Computer systems should create an audit trail of all changes made to the master file records, including who made the change. A report detailing the changes should be printed and reviewed by someone independent of the person or persons making the changes. This report is sometimes referred to as an "access matrix." The access matrix should list each person with system access and the person's level of access by module. Comparing the access authority of each employee should be part of this review. Determine a standard "access profile" for each employee position and restrict the master file records to these persons. Immediately delete from access the names of employees who terminate. Immediately modify the access of reassigned employees. And immediately investigate any unusual or suspicious activity. Most computer systems are designed with audit trail capabilities, but companies rarely use them. Programming access reports is not difficult.

Situation: In a recent case, a major manufacturer discovered that an accounts payable supervisor had edited a supplier record in the master file before the accounts payable checks were printed. The employee had access to set up and edit records in the supplier master file, but the oversight function was not in place. A vendor's name had been changed to the employee's mortgage company, along with a reference to his loan number. Most mortgage companies accept large principal reductions outside of regular monthly payments only with specific written instructions to do so. Since the employee could not intercept mailing of the payment, a written note was not included. The fraud was discovered when the mortgage company returned the check to the manufacturer.

5. Separate the accounts receivable and banking functions. Receipts and deposits must balance each day, and different people should perform the functions to prevent fraudulent endorsements. Separate groups should also process payments, disburse checks, and perform bank reconciliations. If these duties are not separated, a dishonest employee could issue a check to him- or herself, or to a co-conspirator, remove the check from the bank statement, and adjust accounting records to hide the embezzlement.

The revised Uniform Commercial Code (UCC) makes it very clear that employers have sole responsibility to properly manage this area. The UCC adopts the principle that the risk of loss from fraudulent endorsements by employees entrusted with the responsibility for checks should fall on the employer rather than on the bank that takes the check or pays it, if the bank was not negligent in the transaction. It is based on the belief that the employer is in a far better position to avoid the loss by care and by choosing employees and supervising them, and by adopting other measures to prevent forged endorsements on instruments payable to the employer.

6. Mailroom personnel must have clean backgrounds, and internal procedures must be established to discourage theft of incoming or outgoing checks. Many companies that have been victims of an altered payee check fraud scam have traced the source of the original checks to their own mailroom. Also, replace your company name and address on disbursement envelopes with a simple post office box number. This post office box should be established separately and solely for returned checks.

7. Segregate Processing of Returned Checks. Checks that are returned by the intended recipient or by the Post Office as undeliverable should not be returned to the original processor. A person independent of the payment function should be designated to handle these exceptions and investigate the reason for the return.

Situation: An uncashed disbursement check was returned to an accounts payable clerk for disposition because she originated the invoice entry. The clerk put the check in her desk and forgot about it for several months. Upon cleaning her desk, she discovered the returned check. When she checked the paid history, she realized the supplier had returned the check when it was determined to be a duplicate payment of an invoice. She also noticed that the payee name had been printed slightly below "Payee" on the check. With a bit of effort she managed to align the check and insert her name above the original payee in a print similar to the original, along with an "or" designation following her name. The fraud was caught by an accounts payable auditor searching for duplicate payments and who was asked by the supplier to furnish proof of duplicate payments by providing copies of both cancelled checks.

8. Do Not Include Account Number and Authorized Signatures in Correspondence. Credit applications sent to a new supplier should include the name and phone number of the company's account officer at the bank, but not the bank account number. Nor should correspondence be signed by an authorized signer on the account. You have no control over who handles this information once it is mailed or faxed, and it could be used for fraud. Supplied with a company's account number and armed with the ability to scan the signature, a forger can easily create a check that would pay at the bank, even if the amount is large and the bank verifies the signature.

9. Protect All Checks. All checks and other cash equivalents, whether preprinted or entirely blank, must be stored in a locked facility with restricted employee access. Cleaning crews must not have access into the area where checks are stored. Conduct a physical inventory at least quarterly to account for every check. Zero amount checks and checks that have been cancelled or voided should immediately be written or stamped with "void" or "cancelled" to render the document unusable. All cancelled or voided checks that include a manual or facsimile signature should have the signature removed. A person other than the accounts payable processor who handled the original transaction should be responsible for accounting for voided or cancelled checks. Too often, checks that are to be cancelled or voided are left on desks or in someone's in-box, even though they are still "live" checks. Employees know that a replacement check was issued for the cancelled or voided check, and that the cancelled check will not be missed.

Situation: The Accounts Payable department of a city in the West had a poor practice of throwing checks that had been crumpled by the printer into the trash. The checks were not voided. A member of the cleaning crew had a practice of salvaging those checks, forging signatures, and cashing them for increasingly larger amounts of money. The thefts were not discovered until the account was overdrawn, but by then, over $1,000,000 was stolen. The city, it was discovered, had not reconciled its accounts in over a year, and its own practices had contributed substantially to the loss. The bank lost the customer, but was not liable except on the first few checks.

10. Destroy Obsolete Check Stock. Obsolete check stock should be shredded or rendered unusable in some manner as soon as possible. Often, when bank accounts are closed or when highly secure check stock replaces old checks, boxes of the old checks are left unattended outside the locked cabinet where the new checks are maintained. Some companies have even stacked old checks on a pallet in the warehouse. The ill-founded rationale behind such decisions is that there is no need for concern about checks drawn on an account that has been closed. Remember, checks are checks. All checks must be kept under lock and key. Although an account may be closed, someone could steal and pass the old checks to an unsuspecting third party. The company would be considered negligent and held responsible for the loss incurred by that innocent third party.

11. Shred All Negotiable Documents in Dual Custody, or use a bonded shredder.

12. Return Checks to Secure Storage after Every Check Run. Empty the laser printer tray of checks and return them to the locked storage area after every check run. Often, unused checks from the last check run are not immediately returned to secure storage. An unauthorized employee or a cleaning crew member could find the checks in the printer tray and use them for criminal purposes. Emptying the printer tray seems so obvious, but it is a practice frequently overlooked.

Situation: A major apparel maker in the Northwest fell victim to a scam involving the theft of a few blank checks left behind from a check run. The company was initially puzzled over how the checks could have been stolen. A review by an independent audit firm revealed that the failure to empty the printer tray was the source of the stolen checks.

13. Mail Vendor Checks. Checks should always be mailed directly to the vendor or payee, not returned to the operating unit, department, division, branch office, or requester. In many situations, the requesting party or operating unit wants to see the check for assurance that payment was made. Often, these operating units try to maintain their own record of disbursements, duplicating the accounting system. This duplication of effort is not necessary. The key issue is either lack of visible payment activity or lack of trust. If either of these is the problem, a solution should be reached that does not involve returning the check to the original requester. Returning checks to the requester is open invitation for fraud. In some cases, returned checks are altered and negotiated by someone other than the intended recipient.

Situation: An employee of a large company was caught altering payees on checks intended for charities. Because the charitable contributions were within budget, and because charities don't invoice, nothing was missed. Separating the disbursement and mailing functions will discourage this kind of activity.

14. Enforce mandatory vacation policies, particularly for those with access to financial assets or records. Every employee must be required to be out of the office and without transaction control for at least one week each year. Large embezzlement schemes often must be maintained daily, and will sometimes be discovered during an employee's absence. Most sophisticated embezzlement schemes are almost always conducted by the long-tenured, implicitly trusted bookkeeper/controller/chief financial officer.

15. Prevent erasure alterations by printing checks using a type font of 12 points or larger. Forgers, including dishonest employees, easily erase words in small type and cover their erasures with a larger font. Impact printers should use single-strike fabric ribbons for maximum ink coverage, and the ribbons should be replaced at the first sign of wear. Never use correctable ribbons when printing or typing checks because the type can be lifted off with plastic tape.

16. Reconcile bank accounts promptly, always within 30 days of the statement mailing. Failure to reconcile bank accounts is an open invitation for employees to embezzle because they know their actions will not be discovered for a long time. Reconciliations must be performed under separation of duties, i.e., parties issuing checks cannot reconcile the accounts. It is the account holder's responsibility to ensure that statements are received, reconciled, and reviewed for forged or altered checks. If you are unable to reconcile within 30 days, hire an outside reconciliation service provider and have the bank statements mailed there directly.

17. Change keys or entry codes periodically to prevent unauthorized access to secure areas.

18. Rotate personnel in financially sensitive assignments periodically.

19. Conduct surprise audits that examine systems and procedures to ensure they perform as expected.