To prevent occupational fraud from cutting into your auto dealership’s profits and generating negative publicity, you need a strong internal controls system. And effective controls start with current and accurate financial statements.

It starts in accounting

One sign of weak internal controls is an accounting department that fails to generate a balance sheet and income statement until two or more weeks after month’s end. Accounting should post transactions daily, including new and used vehicle sales, repair orders, invoice payments, payroll and cash receipts.

By 1 p.m. on any given day, you should have access to real-time checkbook balances and other accounting information effective as of 5 p.m. the day before. That way, you might be able to catch the first signs of fraud and use the data to catch the perpetrator.

Tried and true methods

Complex computer passwords, background checks and security cameras are essential to preventing fraud. But sometimes these protections fall by the wayside. Periodically review your safeguards and ensure they’re being used. For example, require employees to change their passwords quarterly, conduct regular inventory counts, engage outside CPAs to perform audits and segregate accounting duties.

As a rule of thumb, employees who record and reconcile transactions should never have access to those assets (including being a signer on bank accounts). Give the segregation of duties a starring role in your internal controls program.

Real life examples

To see how such controls can reduce losses, consider this real-life scam. A parts manager stole $70,000 by selling his employer’s parts and pocketing the cash. The loss could have been reduced if the owner had performed random inventory counts throughout the year, rather than waiting for his CPA to physically verify inventories at year end.

In another case, a dealership caught its cashier stealing by voiding service orders and falsifying deposit slips. The cashier’s responsibilities included collecting cash, issuing receipts to customers, preparing the daily deposit slip and reconciling the daily cash report. A loss of $16,000 might have been prevented if the dealership had segregated these duties.

Another dealer learned that his general manager was wholesaling used cars at a loss to the dealership because he owned a 50% interest in the wholesaler. A better pre-employment screening process might have helped detect such conflicts of interest as well as any criminal history.

Be involved

We can help you bolster your dealership’s internal controls. But your involvement is essential to preventing fraud. Let employees know that you personally review bank statements, order test counts of inventory and examine adjusted journal entries. Knowing that you’re paying attention will discourage most thieves. Contact us for more at 205-345-9898 and info@covenantcpa.com.

© 2019 CovenantCPA

In its 2018 Report to the Nations on Occupational Fraud and Abuse, the Association of Certified Fraud Examiners (ACFE) reported that owners and executives accounted for only 19% of all fraud cases. Yet they caused a median loss of $850,000, vs. a median of $100,000 for rank-and-file employees.

Executive thieves get away with more because they have greater access to assets and can more easily override internal controls. Their schemes also tend to continue for longer periods before detection — an average of two years vs. one year for nonmanager employee schemes. So it’s critical to spot the signs of executive fraud and nab these high-placed thieves.

Greater authority = greater damage

Traditional preventive measures, such as background checks, may be ineffective when it comes to executive fraud because many of these perpetrators are first-time offenders. Fortunately, their schemes tend to raise red flags. Crooked executives often are reluctant to cooperate with internal investigations and outside auditors and may show disrespect for regulators. Sometimes, they offer unreasonable responses to reasonable questions or become agitated or annoyed when probed about financial discrepancies.

Often, their lifestyles betray them. A thieving executive may begin spending extravagantly on expensive cars and vacations. Or a formerly fiscally healthy individual may appear to be mired in debt and have credit problems. In some cases, the motivation for fraud is a substance abuse or gambling problem.

Vulnerabilities create opportunities

Weak internal controls make fraud easier for executives to perpetrate. Vulnerable organizations may have minimal or no segregation of duties, little external audit oversight, a lax or inexperienced accounting staff and excessive trust in key executives. Environments where all decisions are made by an individual or small group are also at higher risk. And companies in financial distress provide particularly fertile ground for fraud perpetrators.

Some executives commit fraud for what they believe is the benefit of the company. Financial weakness, out-of-control expenses, tax adjustments by the IRS, credit difficulties and pressure to meet budgets and earnings projections can all motivate an executive to do “whatever it takes” to prop up the company. When bottom-line results seem too good to be true, that just may be the case.

Tone at the top

Executive fraud can have devastating financial consequences and harm your company’s reputation with shareholders and the public. Also, it sets the ethical tone for the entire organization. Employees who know or suspect their superiors are dishonest are more likely to cut corners — or steal — themselves. So if you suspect fraud in your organization or need to bolster your internal controls, contact us at 205-345-9898 or info@covenantcpa.com.

© 2019 CovenantCPA

It’s every business owner’s nightmare. Should hackers gain access to your customers’ or employees’ sensitive data, the very reputation of your company could be compromised. And lawsuits might soon follow.

No business owner wants to think about such a crisis, yet it’s imperative that you do. Suffering a data breach without an emergency response plan leaves you vulnerable to not only the damage of the attack itself, but also the potential fallout from your own panicked decisions.

5 steps to take

A comprehensive plan generally follows five steps once a data breach occurs:

1. Call your attorney. He or she should be able to advise you on the potential legal ramifications of the incident and what you should do or not do (or say) in response. Involve your attorney in the creation of your response plan, so all this won’t come out of the blue.

2. Engage a digital forensics investigator. Contact us for help identifying a forensic investigator that you can turn to in the event of a data breach. The preliminary goal will be to answer two fundamental questions: How were the systems breached? What data did the hackers access? Once these questions have been answered, experts can evaluate the extent of the damage.

3. Fortify your IT systems. While investigative and response procedures are underway, you need to proactively prevent another breach and strengthen controls. Doing so will obviously involve changing passwords, but you may also need to add firewalls, create deeper layers of user authentication or restrict some employees from certain systems.

4. Communicate strategically. No matter the size of the company, the communications goal following a data breach is essentially the same: Provide accurate information about the incident in a reasonably timely manner that preserves the trust of customers, employees, investors, creditors and other stakeholders.

Note that “in a reasonably timely manner” doesn’t mean “immediately.” Often, it’s best to acknowledge an incident occurred but hold off on a detailed statement until you know precisely what happened and can reassure those affected that you’re taking specific measures to control the damage.

5. Activate or adjust credit and IT monitoring services. You may want to initiate an early warning system against future breaches by setting up a credit monitoring service and engaging an IT consultant to periodically check your systems for unauthorized or suspicious activity. Of course, you don’t have to wait for a breach to do these things, but you could increase their intensity or frequency following an incident.

Inevitable risk

Data breaches are an inevitable risk of running a business in today’s networked, technology-driven world. Should this nightmare become a reality, a well-conceived emergency response plan can preserve your company’s goodwill and minimize the negative impact on profitability. We can help you budget for such a plan and establish internal controls to prevent and detect fraud related to (and not related to) data breaches. Call or email us today at 205-345-9898 or info@covenantcpa.com.

© 2019 CovenantCPA

News of commercial database hackings may seem commonplace in 2019. But while many of these stories focus on hacked bank and credit card accounts, 401(k) plan sponsors and participants probably don’t realize that their plan assets also are at risk.

Employers who offer 401(k) plans to their employees need to take precautions against identity theft. Part of this is educating participants.

Role of sponsors

If your organization sponsors a 401(k) plan, it’s essential that you assess plan service providers’ protection systems and policies. Most providers carry cyberfraud insurance that they extend to plan participants. But there may be limits to this protection if, for example, the provider determines that you (the sponsor) or employees (participants) opened the door to a security breach.

Your plan’s documents may say that participants must adopt the provider’s recommended security practices. These could include checking account information “frequently” and reviewing correspondence from the administrator “promptly.” Make sure you and your employees understand what these terms mean — and follow them.

What participants can do

Traditionally, 401(k) plan participants have been discouraged from worrying about short-term fluctuations and volatility in their accounts, and instead encouraged to focus on the long run. However, lack of regular monitoring can make these accounts vulnerable. Instruct employees to periodically check their account balances and look for signs of unauthorized activity.

Employees also should take the same steps they follow to protect other online accounts. For example:

  • Use strong passwords and change them regularly.
  • Take advantage of two-factor authentication.
  • Don’t use the same login ID and passwords for multiple sites.
  • Don’t allow a browser to store login information.
  • Never share login information.

Such precautions can foil some of the most common retirement plan thieves — relatives and friends — from using their knowledge to gain account access. In one real-life case, a plan participant divorced his wife and moved out of the house. However, he didn’t update his address with his plan provider, change his password or review his balance regularly. His ex-wife cleaned out his more than $40,000 balance.

A few clicks

Without adequate vigilance, anybody can be a few clicks away from cleaning out your employees’ 401(k) accounts. Review your plan documents carefully and educate participants about their responsibilities for monitoring their accounts. Contact us for more information on identity theft at 205-345-9898 or info@covenantcpa.com.

© 2019 CovenantCPA

It should come as no surprise that cash is the most popular target of fraud perpetrators. After all, once stolen, cash itself is virtually untraceable. But that doesn’t mean forensic accounting professionals can’t unearth cash fraud schemes — and the crooks behind them.

3 categories

According to the Association of Certified Fraud Examiners, there are three main categories of cash fraud (which includes checks because they’re easily converted to cash):

  1. Theft of cash on hand,
  2. Theft of cash receipts, and
  3. Fraudulent disbursements.

The last category comprises many of the most frequently executed schemes, such as overbilling and “ghost” vendor or employee schemes. For example, overbilling vendors usually submit inflated invoices by overstating the price per unit or the quantity delivered. A dishonest vendor also might submit a legitimate invoice multiple times. Overbilling may involve collusion with employees of the victim organization, who typically receive kickbacks for their assistance.

Employees also can conduct billing fraud on their own, submitting bogus invoices payable to a fictitious vendor and diverting the payments to themselves. Similarly, an employee might set up payroll disbursements to nonexistent ghost employees.

Tracing schemes

Cash can be difficult to trace once it’s in the hands of a thief. But forensic experts usually are able to trace the path that stolen cash took before the fraudster pocketed it. This includes who “touched” the cash and what prompted its flow out of the organization.

Inflated invoices, for example, often leave a trail of red flags. Experts look for invoices that bill for “extra” or “special” charges with no explanation. Other suspicious signs include round dollar amounts, or amounts just below the threshold that requires management’s signoff, and discrepancies between invoice amounts and purchase orders, contracts or inventory counts.

If forensic experts suspect that fictitious billing has occurred, they often investigate accounts with no tangible deliverables — such as those for consulting, commissions and advertising — and check vendor addresses against employee addresses. Invoices with consecutive numbers or payable to post office boxes receive extra scrutiny.

Returned checks can supply useful information, too. Fraud perpetrators are more likely to cash checks, whereas legitimate businesses typically deposit them and rarely endorse checks to third parties.

To trace ghost employee schemes, experts examine payroll lists, withholding forms, employment applications, personnel files and other documents. The information collected from these sources may provide vital links between actual and ghost employees that wouldn’t otherwise be apparent.

To catch a thief

Strong internal controls are instrumental in preventing cash-type schemes. But even the strongest controls sometimes fail to prevent a determined fraudster. If that happens, we can help your business ferret out the fraud and track down the perp. Call or email us today for help– 205-345-9898 or info@covenantcpa.com.

© 2019CovenantCPA

Because they foster a collegial, trusting environment, law firms can be more vulnerable to fraud than many other types of businesses. Enforcing internal controls may simply seem unnecessary in an office of professionals dedicated to the law. Unfortunately, occupational thieves can take advantage of such complacency.

A law firm’s accounting department — payroll and accounts payable and receivable — may be particularly vulnerable. To protect against financial losses and possible public embarrassment, implement and enforce five basic controls:

1. Screen employees. Require all prospective employees, regardless of level, to complete an employment application with written authorization permitting your firm to verify information provided. Then, call references and conduct background checks (or hire a service to do it). These checks search criminal and court records, pull applicants’ credit reports and driving records, and verify their Social Security numbers.

2. Use fraud-resistant documents. The design of financial documents can help ensure proper authorization of transactions, completeness of transaction histories and adherence to other control elements. For example, use prenumbered payment vouchers that a designated partner must approve.

3. Require authorization. Authorization procedures can help prevent transactions from occurring without proper approval. In the example above, the designated partner is the authorizing party. This control is effective because the partner is in a position to know what the transactions are and how they pertain to your firm’s clients. Similarly, restrict access by maintaining current signature cards at your bank and by protecting accounting and billing systems with difficult passwords.

4. Segregate duties. Some smaller firms assign the same person to open mail, make bank deposits, record book entries and reconcile monthly bank statements. In this environment, fraud’s not only possible — it’s likely. It’s critical that your firm distribute these tasks to two or more people.

5. Provide independent oversight. A designated partner should open all bank statements. Even if the partner doesn’t review every item individually, employees will get the message that transactions will be verified. Someone outside the accounting department, such as your firm’s CPA, might also review transactions as they’re processed and financial statements at the close of accounting cycle reconciliations.

Even if your firm is like family — especially if your firm is like family — you need to reduce fraud opportunities by strengthening internal controls. If you aren’t sure if your policies are adequate, or if you’ve experienced a fraud incident, contact us at 205-345-9898 or info@covenantcpa.com.

© 2019 CovenantCPA

Buying a home is stressful enough without also having to worry about potential fraud. Unfortunately, real estate fraud is surging. According to Realtor magazine, scams targeting the industry rose 1,100% from 2015 to 2017, resulting in losses of more than $1.6 billion.

Home closing wire fraud should be of particular concern for prospective homebuyers. When schemes are successful, criminals can make off with buyers’ hard-earned down payments — several hundred thousand dollars’ worth in some cases. Here’s how to avoid losing the home of your dreams and the money with which to buy it.

The scoop

Home closing wire fraud involves hackers who typically use real estate agents’ email accounts to trick homebuyers into wiring money. Perpetrators send phishing messages containing links that, if clicked on, install malware. The hackers then infiltrate the agent’s email account and send messages to clients who are about to close on a home. Emails instruct buyers to wire closing funds to a specified account. Once the money is wired, the crooks quickly liquidate it. In most cases, the wired money isn’t recoverable.

Hackers also may target the email accounts of title companies, lenders, attorneys and sellers, and the process is the same. The criminals monitor emails to learn details about potential homebuyers and deals in progress and to learn how to create messages that will look and sound like they’re coming from a buyer’s agent or other real estate professional.

Group effort

Preventing home closing wire fraud must be a group effort. Homebuyers need to scrutinize emails they receive from their agents, attorneys and title companies. And those professionals need to ensure their accounts aren’t hacked in the first place.

Prospective buyers should ask their agents whether they’re aware of wire fraud scams and how they protect against them. For example, does the real estate company train agents to spot fraudulent emails? What type of firewall, antivirus and antimalware software does it use?

Many companies go to great lengths to prevent this type of fraud. They may, for example:

  • Prohibit their agents from emailing wiring instructions,
  • Require buyers to pay closing costs with a cashier’s check rather than a wire transfer, and
  • Employ cloud-based systems to screen emails and provide an extra layer of protection for confidential information.

At the very least, homebuyers should call their agents (or other real estate industry senders) to confirm the legitimacy of any message containing fund transfer or other potentially fraudulent instructions.

Natural target

Home purchases involve large sums, which makes them a natural target for fraudsters. Awareness of fraud schemes is the first step to avoid becoming a victim of them.

Contact us at 205-345-9898 or info@covenantcpa.com.

© 2019 CovenantCPA

For brick-and-mortar retailers, return fraud can be a serious financial threat. There are several types of schemes. But when they’re successful, they all end the same way: Stores issue refunds that they shouldn’t have. Here’s what to look for and how to limit losses.

Myriad schemes

Return fraud perpetrators could be customers, employees or even a criminal gang working with employee accomplices. In perhaps the most common scheme, an individual steals merchandise, and then returns it and insists on a cash refund, despite the lack of a receipt. Or a criminal steals merchandise from one retailer and then returns it to another for a cash refund.

Some thieves do supply receipts — but they’re fake. The “customer” hands over an altered or completely counterfeit receipt that the original payment was made in cash. The retailer then issues a full cash refund.

Other return fraud schemes might involve:

Stolen cards. The thief makes a purchase using a stolen credit card. He or she then returns the merchandise, usually on the same day (before the actual cardholder disputes the charge). The goal is a full cash refund.

Damaged goods. Instead of returning merchandise in new, as-sold condition, customers return items that are worn, damaged or broken. They distract the employee processing the refund from closely scrutinizing the merchandise with conversation or other diversions.

Crooked workers. An employee discounts merchandise and sells it to an accomplice who subsequently returns it to the same employee for a refund at full price. Workers might also steal merchandise and then instruct their accomplices to return it without a receipt for a cash refund.

Reducing crime

You can reduce the incidence of return fraud by making it hard for thieves to get their hands on cash. Issue refunds only when they’re accompanied by an original receipt and only to credit cards. Scan receipts into your point of sale system to ensure they were produced by your store’s registers. If a purchase wasn’t made with a credit card — or if the customer doesn’t have the card on hand — refund it with a store credit. You may also want to ask the customer to produce identification.

To help limit employee-perpetrated return fraud, install security cameras, ensure strong management oversight and provide a confidential fraud reporting hotline. In addition, monitor the frequency and value of returns processed by individual cashiers and investigate employees with higher-than-average return numbers.

Walking a thin line

Although you don’t want to encourage crooks, you may think a generous return policy is essential to providing superior customer service. So that you don’t alienate legitimate customers, state your return policies clearly at every cash register and on every receipt. And contact us for help writing a policy that balances all your priorities. 205-345-9898 or info@covenantcpa.com.

© 2019 CovenantCPA

The expense of preventing fraud is minimal compared to the cost of cleaning up after fraud has been committed. One common fraud deterrent is to monitor employees on the job. But are you legally entitled to monitor employees? The answer is “sometimes.” One thing is certain: You must follow current employment law to the letter.

Two competing interests

Many laws apply to employees’ privacy rights. In general, they attempt to balance employers’ interests in minimizing losses and injuries and maximizing production with employees’ interests in being free from intrusion into their private affairs.

By adopting and clearly communicating employment policies, your company can, within limits, establish its authority to conduct searches and surveillance that might otherwise be deemed intrusive. But before you state your policies, check with your attorney to ensure they don’t violate any federal or state laws.

Allowable actions

In most cases, federal law allows employers to take the following actions (but keep in mind that some state laws may be more restrictive):

Electronic activities monitoring. As a general rule, you can’t monitor employees’ use of electronic devices (including tracking Internet use) without their knowledge. But there are two notable exceptions. First, you can monitor if you have a legitimate business need to do so (for example, to record a client’s buy/sell instructions to a stockbroker). The second exception is when one party to a communication consents to the monitoring. If your company clearly states a policy to monitor communications, an employee is usually considered to have consented by remaining in the job.

Phone call monitoring. You’re generally allowed to monitor business-related phone conversations to and from the workplace. However, you can’t monitor personal calls and must hang up as soon as it’s apparent the call isn’t work-related, unless the employee has given you permission to listen in.

Physical searches. Exercise extreme caution before searching an employee’s person. If you feel a body search is necessary, don’t threaten or apply physical force or prevent the employee from leaving the room or workplace. Aside from possible referral to law enforcement, keep the search results confidential. This is to prevent leaks that could form the basis for libel or slander suits.

Surveillance. You can install cameras in your company’s offices or production areas, but usually not in “private” areas such as restrooms and locker rooms. As with other searches, surveillance records must be kept confidential. Only individuals who must know the information to properly perform their duties should have access to evidence of possible wrongdoing.

Avoiding land mines

Protecting your company from fraud while also adhering to employee privacy regulations can be challenging. To avoid legal land mines, develop your company’s policies with the help of an employment law attorney. Contact us at 205-345-9898 to learn more.

© 2018 Covenant CPA

Online shopping enables consumers to buy almost anything from the convenience of their own homes. But comfortable surroundings can lull online shoppers into a false sense of security. You wouldn’t leave your wallet unattended in a busy shopping mall or enter a sketchy-looking shop, yet you may be taking similar risks on the Internet.

One of the biggest risks is shopping on fraudulent sites or making purchases from crooked marketplace sellers who have no intention of shipping the goods you’ve paid for. Here are three suggestions for protecting yourself:

  1. Use feedback features. When shopping in online marketplaces such as eBay or Amazon, pay close attention to ratings and comments provided by previous customers about individual sellers. Bear in mind, however, that some online review platforms allow sellers to request the removal of negative reviews. And while reputable marketplaces and review sites do their best to block fake reviews, it’s possible for sellers to boost their profile by paying “customers” to post five-star ratings and raves.
  2. Perform basic research. Before making a purchase from an unfamiliar retail site, plug the site’s name into a major search engine. Because negative information may not appear at the top of search results, look beyond the first or second page. In some extreme circumstances, disgruntled customers set up their own sites to air grievances about an online retailer or you may find news of legal action. Also be wary if you find almost no information about a retailer. Some scam artists frequently change the names and addresses of their sites to stay one step ahead of the law.
  3. Always pay with a credit card. Credit card companies generally allow their customers to dispute fraudulent charges and get their money back if they don’t receive the goods they purchased. So beware of online sellers who ask you to pay by check, ACH or wire to avoid credit card processing fees. Online marketplace scammers sometimes ask customers to skip the site’s payment system and pay them directly. This is dangerous because it places a transaction beyond the reach of the marketplace’s fraud detection and prevention systems.

Most online merchants deliver on their customer commitments. However, a small percentage take advantage of the Web’s anonymity to commit fraud. Be sure to check out any site or seller you intend to do business with and, just as important, listen to your gut. If something makes you uneasy, don’t proceed with the transaction. Contact us for more information at 205-345-9898.

© 2018 Covenant CPA