Taming the monsters inside us

An awful lot is written about security from an Information Technology perspective, so we are pre-programmed to think that security means firewalls, encryption protocols, password policies, tokens and the like. Unfortunately, organizations are most at risk of theft and fraud from those that have intimate knowledge of their inner workings. We often don’t hear about these events because they are perceived to be embarrassment to the victimized entity.

Over my career, I’ve seen a number of situations where organizations have unwittingly put themselves at great risk for internal or even customer fraud. I’ve also been privy to some clever (but misguided) attempts that have failed miserably.

And I’d like to share a few of these past situations that have left an indelible impression on me.

I’ll start with the Canadian felon who duplicated a legitimate client refund check and then proceeded to issue hundreds of duplicate checks off this account. Then there was the controller that embezzled cash by processing refunds to inactive client accounts and redirected the refund deposits to his mother in-law’s bank account. Another incident involved an accounts receivable clerk that literally cashed hundreds of customer checks into a duplicate company account that she fraudulently opened in her name only. I was once exposed to a situation where a payroll manager cleverly voided federal tax deposits and then transferred those exact funding amounts to her own bank account. I should also mention the former Human Resources manager that used his still-valid payroll login credentials to change employee net pay bank account numbers to fund anonymous electronic payroll debit cards. Not so long ago, an IT worker retaliated against his soon-to-be former employer by posting all employee salaries on multiple bulletin boards at work. And finally, the data processing technician who gleaned bank account numbers from a payroll export file and then made payments to credit cards online using those stolen account numbers.

The common denominator in all of these situations is an insider. Well thought-out internal security protocols and procedures are our best defense against this type of fraud.
Here are my recommendations to be protected against being defrauded by the monster inside us.

Be ever vigilant with your cash and cash accounts. Reconcile bank accounts frequently and separate the reconciliation responsibility from those who processes payments or create client accounts. Use online banking access to match checks, electronic payments, and deposits to your accounting system daily. Require two signatures and/or electronic authorization for all checks or transfers greater than a threshold amount. Place blocks on your accounts so only authorized third-parties can debit funds from you. Use positive pay banking features, and flag unknown transactions and investigate them immediately. Good internal controls and procedures are the best deterrent to internal fraud. These basic steps will not only reduce your exposure to fraud but they’ll help you identify it really quickly when it happens so you can mitigate your damages substantially.

Separate Duties. I’ll say it again for effect. Separation of duties is essential. For example, never-ever-ever have the person who receives the money and credits the client accounts also produce your client billing. Client setup and termination should never be handled by the person that collects and posts your money. The person who reconciles the bank accounts should be different that the one that makes journal entries into the accounting system. You get the idea here: Separate duties so one accounting function provides a built-in audit to the other accounting function.
Expire access to systems and facilities prior to terminating employees. Termination can trigger retaliation and drama. Don’t put your company at risk for embarrassing post-termination drama. Get your ducks in a row prior to letting all employees go by terminating their access to all systems, collecting all their company assets, and ensuring that their access to facilities is limited.

Treat your payroll vendor like it is giving away your money. Just because you’ve outsourced your payroll doesn’t mean that you are safe from fraud. Make sure you separate the duty of changing account numbers from the person that reviews account number changes. It is a good practice to audit direct deposit account changes prior to processing each payroll. Also verify all third-party deposits. Review all manually entered checks, adjustment checks, and voided payments. Ensure that appropriate security is setup so sensitive information like salaries, social security numbers, and account numbers are available on a need-to-know basis. Limit those who can create output data or exported reports with sensitive data. Interface and export files should be encrypted at the source before they are downloaded or transmitted. A good payroll vendor will provide features such as warnings and detail reports to make these audits and verification steps fast and painless. If your payroll company doesn’t support these important features, then get a new payroll company.

The above recommendations are not intended to be exhaustive. The examples should make you think and assess your fraud risks and create a plan to mitigate them. Disciplined audit and security protocols are a great deterrent to fraud, and that deterrent may just be enough to tame those monsters inside your organization.