Once upon a time in a company not so far away, there existed a man we’ll call Bob. Bob was a friendly person whose job was to supervise accounts receivable. Because this was a fairly small company, one of Bob’s duties was to make collection calls.
One day the Controller asked Bob to make calls for a variety of past due balances that were each in the $100-200 range. Over the next couple of weeks, these balances disappeared from the accounts receivable aging and the Controller was happy because he believed the money had been collected.
In reality, Bob had written the balances off. How did this happen without the Controller’s knowledge?
The existing policy stated that balances to be written off were to be approved by the next level of management before they were entered. If Bob had written up adjustments they would have been required to be signed by the Controller. But Bob was sly. He had a part-time clerk and he simply asked her to write them up. And then because Bob was the next level of management he signed them and then returned them to the clerk to be entered. The end result: The outstanding balances went away not because they were collected but because they had been written off as bad debt.
Bottom line, Bob worked the system by staying within the rules. And it was very easy because the rules in this organization had been written by honest people who never foresaw anyone attempting to subvert the system. Therefore, very few checks and balances had been created.
This is actually fairly common in small to medium size businesses. And it’s one of the reasons that almost 1/3 of fraud cases occur in companies with less than 100 employees and ½ occur in companies with less than 1,000 employees.* Therefore, this is a very real risk.
A great way to minimize fraud risk is to build a strong internal brand that includes an emphasis on doing the right things. When the company culture is strong, unethical people will frequently self-select out as they will feel uncomfortable. Additionally other employees will be more likely to report any questionable behavior.
However, the bottom line is that rules should not be written by honest people. By this I mean that the most effective rules have checks and balances written in by people who foresee that someday they may actually have a dishonest person on their staff. The trick is to include them in a way that does not make the rest of your staff feel like you don’t trust them.
In the scenario above, it would have been as simple as creating and reviewing an exception report that showed all negative revenue amounts and any changes to the bad debt account. Checks and balances don’t need to be complicated or time consuming. They do need to be based upon a prudent and thoughtful approach to potential risks combined with a creative approach to keeping it all as simple, quick and easy as possible.
Who wrote your rules? Did they anticipate that someday someone dishonest may try to subvert them?
*Source: 2016 Report to the Nations, ACFE.