Lessons Learned From Real Forensic Investigations
Our forensic projects always lead us into new areas, many unexpected, which offer opportunities for us to suggest changes companies can make to capitalize on lessons learned. The sad reality is that the lessons we often learn arise because of losses sustained by other companies as a consequence of fraudulent activity perpetrated against them. Nevertheless, if either of these programs apply to your business, you may wish to consider the strength of your internal control system and of management oversight and approval.
Corporate Credit Cards and Rewards Points Programs
Involvement of management in supervision and monitoring of corporate credit card activity and control of rewards programs should be a priority. Having a policy and procedure as to allowable use, and even more importantly, prohibited use, is a significant concern any time these programs are in place. Our observations have revealed several common classes of fraudulent behavior associated with these programs:
- Purchases for personal use on corporate credit card accounts.
- Diversion or use of rewards points, which belong to the company, to personal purchases.
Most unrecoverable losses we have observed result from ambiguity surrounding prohibited use of these programs.
To close this risk off, companies should establish detailed policies and procedures addressing these risks which not only address what is allowable and what is not in using these programs, but how unauthorized usage may be cause for termination of employment. Further, such purchases may be included as compensation in the employee’s taxable earnings for which he/she are liable for payment of income taxes.
Companies should inquire of their insurance provider as to the cost of generally low-cost economic crime, theft or employee bonding coverage, the latter most important when dealing in industries where assets are at an especially high risk of theft or otherwise are easily converted to cash.
Use of Online Payment Processors (e.g., PayPal)
Companies that routinely process transactions through online payment processors should regularly monitor activity flowing through these accounts. The related accounts should be treated exactly the same as if they were bank accounts, as they house the funds of the company. They also can be used for purchasing as well in the hands of any individual who has the credentials required to access the account.
For the overall safety of the company, consider the following, in addition to the policy and procedures recommendation explained above, which applies equally here:
- Upper-level management should review a “bank reconciliation” of all online accounts monthly.
- User ID and password combinations should be changed frequently.
- Current credentials should be assigned only to the minimum number of people required, based upon job duties and need.
- Upper-level management should always be in possession of the current access credentials and confirm the ability to access the accounts.
- Monitor accounts for unusual or unexpected activity: shipments to unknown addresses, unusual quantities, foreign transactions.
- Enable fraud alerts available to account owners and route delivery to the appropriate addresses.
- Unusual activity should be followed up on immediately to ensure the company’s ability to recover lost funds should a fraud occur.
- Take care to avoid interaction with phishing emails designed to fraudulently obtain access credentials.
Following basic program and account monitoring and management oversight procedures, combined with effective communication of allowed and prohibited activities will serve to close down some of the more common risk loopholes companies face that allow assets to unwittingly slip away.
Contributing author: Brian W. Johnson, CPA, CFE, is an audit partner at Dannible & McKee, LLP. Brian has over 36 combined years of experience providing audit and accounting services to both private and publicly-held domestic and foreign companies. He has extensive experience providing fraud and forensic examinations, as well as SOC audits, internal audit outsourcing and internal controls evaluation and consulting. For more information on this topic, you may contact Brian at firstname.lastname@example.org or (315) 472-9127.