Every time your business interacts with customers is an opportunity to build trust. And it’s an opportunity you can’t afford to neglect. Look at customer data. When customers hand over personal and financial data to your company, they expect you to do everything in your power to protect it from hackers — as well as non-criminal third parties. If you don’t? Just look at some of the companies affected by major data breaches.
Provide fraud notices
Unless you run a cash-only business, you collect financial data from you customers every time you process transactions. If you offer credit accounts to business customers, you probably collect even more information. You’re obliged to ensure this data doesn’t fall into the hands of thieves and fraud perpetrators.
Consumers don’t need to understand the inner workings of your fraud prevention efforts. However, they must trust that you have an effective program in place. Provide notices on your website and train customer service representatives to answer questions about your fraud prevention program. If you require customers to use passwords or answer questions to prove their identities online, explain why these steps are necessary.
Explain how you share data
Criminal activity isn’t the only thing customers worry about. Increasingly, they want to know how businesses willingly share — and often profit from — their data. Given the patchwork of data privacy regulations, most consumers know little about the laws and regulations governing businesses. In layman’s terms, briefly summarize which ones cover your company’s activities, as well as your commitment to honoring the spirit and intent of them. Note that if you have customers in the European Union (potentially any company with a website), you need to comply with the EU’s stringent data protection laws.
As a general best practice, don’t collect any more data from customers than you absolutely need. If you intend to share it with third parties, inform customers at the time you request the data and allow them to opt out, if possible. Keep in mind that some customers will probably go elsewhere if they know you plan to share their data or if your business model is largely based on sharing data. Nevertheless, transparency is critical.
All about communication
Whether you’re trying to prevent fraud or share data with third parties responsibly, keep your customers informed. Good interpersonal relationships are based on trust — and that’s just as true for business relationships.
© 2020 Covenant CPA
Businesses and fraud experts often face a long, arduous process when investigating any occupational fraud incident. When the suspect is a member of upper management, it’s exponentially harder.
In theory, investigating executives shouldn’t differ from the process of investigating rank-and-file employees. In reality, the authority and influence of an executive can slow — even shut down — a fraud investigation. You need a plan to prevent interference and facilitate the collection of evidence that can be used in court, if necessary.
The first step is to brief the executive’s chain of command. As soon as allegations surface, work with your company’s human resources and legal departments to make the suspect’s superiors aware of the situation. If you believe the fraud may involve the executive’s immediate boss, brief someone higher up the chain of command.
To minimize the potential for rumors and information leaks, limit the number of employees with knowledge of the investigation. Instruct them to refrain from discussing the case with anyone within or outside the company. Better yet, hire a fraud investigator to handle most of the investigation. An outside expert knows how to protect confidential information and is able to remain professional and impartial when interviewing suspects and potential witnesses.
If employees participate in the investigation, involve only experienced and trustworthy people. An investigation of an executive inevitably attracts greater scrutiny from the senior executive team and stakeholders such as investors. So make sure the team conducts the investigation in strict compliance with your company’s personnel policies and employment law. Investigation-related electronic files should be password-protected and physical documents stored on-site should be secured in a locked filing cabinet.
Many companies are hesitant to discipline (particularly, to terminate), an executive involved in wrongdoing due to potentially negative publicity. In fact, many senior executives expect to see overwhelming evidence of wrongdoing before they agree to take action against a colleague. Keep this in mind as your team conducts its investigation.
You should try to assemble convincing evidence of fraud before formally interviewing the suspect. To avoid being overwhelmed or overpowered by the executive, a professional fraud examiner or a superior executive should conduct the meeting. Should the need arise to suspend the executive pending further review, make sure someone with the appropriate authority is present.
Cost is too high
Investigating allegations of wrongdoing by an executive can be stressful, but it’s critical. According to the Association of Certified Fraud Examiners, the median loss associated with fraud perpetrated by an owner or executive is $850,000, compared with $100,000 for non-management employees. If you suspect executive fraud, don’t hesitate to contact us.
© 2020 Covenant CPA
Financial statement manipulation is the costliest type of occupational fraud. The latest Report to the Nations published by the Association of Certified Fraud Examiners found that the median loss from financial statement fraud was $800,000, compared to median losses of $114,000 for asset misappropriation and $250,000 for corruption.
With any type of fraud, the sooner it’s detected, the more likely losses can be mitigated. One tool management and fraud experts might use to assess the likelihood of earnings manipulation is the Beneish model.
The Beneish model measures the probability that a company’s revenue has been inflated and its expenses have been understated. The model generally computes an “M score” from comparisons between consecutive financial reporting periods of various metrics, including:
- Days sales in receivables,
- Gross margin,
- Asset quality,
- Sales growth,
- Sales general and administrative,
- Leverage and
- Total accruals to total assets in the current reporting period.
These metrics are designed to capture the effects of earnings manipulation or preconditions that can prompt a company to engage in earnings manipulation.
The economics professor who created the Beneish model admits there are some important limitations to the technique. Notably, the model can’t reliably be applied to privately held businesses because it was developed using public company data. Additionally, his sample involved manipulation to overstate earnings. Therefore, the model isn’t useful in circumstances where it could prove advantageous to reduce earnings — for example, to push revenue into the next quarter to help meet a target for that quarter.
Some distortions in financial statement data also could have a cause that’s unrelated to earnings manipulation. A metric might be distorted by, say, a material acquisition during the period examined, a material shift in the company’s strategy for maximizing value or a significant change in the relevant economic environment.
Simply a red flag
Because it’s relatively easy to use, the Beneish model can be an efficient screening tool for earnings manipulation. It’s important to note, however, that a high M score doesn’t prove fraud. Rather, it suggests that further investigation, preferably by forensic accounting experts, is necessary.
© 2020 Covenant CPA
When Dan received a large shipment of highlighter markers, he was confused. He didn’t remember ordering them — and he was the company’s sole office supplies buyer. Yet when he received an invoice for the markers a week later, he approved it for payment. After all, employees were already using the highlighters.
Dan fell for a typical office supply scam — and his company paid for the mistake. Here’s how to protect your business from this type of fraud.
Office supply scams typically begin as telemarketing fraud, with someone calling your business to obtain your street address and the name of an employee. Callers may ask for the person in charge, claim to need information to complete an order or pretend to verify an office machine’s serial number. The goal is to get a name that will lend legitimacy to bogus shipments and invoices.
The fraudster then attempts to perpetrate an office supply scheme, including one of the following:
Phony invoices. A supplier ships poor quality products and then, a week or two later, sends a pricey invoice. The delay is intentional: The fraudster hopes you won’t notice that the final price is much higher than you’d pay for better quality products. The person is also hoping you’ve used some of the products and feel obligated to pay for them.
Promotional items. Some pretenders offer to send you a promotional item. Before they hang up, however, they’ll mention in passing that they’re going to throw some ink cartridges in with the free coffee mug. What they don’t mention is that they’ll also throw in a bill for the ink.
Gift horses. A perpetrator sends a promotional item to an employee and follows up by sending unordered merchandise to you. When you receive the bill with the employee’s name on it, you question the employee. The scammer is hoping the employee will be so nervous about accepting the promotional item that you’ll end up believing the worker mistakenly ordered the merchandise.
Stop supply fraud
To keep your business safe from office supply fraud:
- Tell employees to transfer all telemarketing calls to one or two designated buyers.
- Provide buyers with procedures for documenting and approving purchases.
- Set up a system for generating purchase order or internal reference numbers.
- Instruct vendors to include those numbers on their shipment documents.
- When you receive merchandise, inspect it and verify that you ordered it and that the packing list matches the box’s contents.
If everything’s in order, receiving employees should send copies of the bills of lading to accounts payable for reconciliation with the order.
Know that you aren’t legally required to pay for anything you didn’t order. Unless there’s a legitimate mistake on an order, you may treat any unrequested merchandise as a gift and use it as you like. If suppliers hassle you, discuss the matter with your legal and accounting advisors.
© 2020 Covenant CPA
All complaints will be swiftly and thoroughly investigated.” No doubt this sentence, or something similar, appears in your company’s employee handbook. Unfortunately, there will likely be a time when you’ll have to put those words into action. Whether an employee alleges discrimination or harassment, or reports a coworker for theft or fraud, you’ll need to handle the complaint appropriately.
Keep these five best practices in mind to avoid unnecessary legal complications:
1. Maintain confidentiality. Take every precaution to keep details of the allegation private — especially the identities of the accused and the accuser. Remind managers that they need to have all conversations behind closed doors, store all meeting notes securely and speak only to those people who are necessary to the investigation. Assure workers involved in the investigation that it will be held in strict confidence and inform them that they aren’t free to talk about any part of the process.
2. Conduct productive interviews. Be prepared with an opening statement that describes what’s being investigated, then ask open-ended questions that encourage employees to say more than “yes” or “no.” Ask all interviewees the same questions so that you can compare answers, identify patterns and uncover discrepancies. Also, have a witness present to verify what occurred during the interviews.
3. Avoid bias. Keep an open mind while gathering facts. Just because an employee has a reputation around the office as a “troublemaker” or “crank,” doesn’t mean that person is lying or guilty of an impropriety. Consider hiring a third-party investigator, such as a fraud expert, to handle interviews. This can help preserve impartiality and show all parties that the investigation is being taken seriously.
4. Document activities. Make detailed notes on all the steps of your investigation. Include the dates and times of workspace searches, computer forensic activity and conversations. After every interview or action taken, review your notes to ensure they capture all relevant information.
5. Close the loops. Even if an investigation turns up no evidence of misconduct or criminal behavior, you need to follow up and close the loop with those involved. When complaints are found to have merit, take appropriate action as quickly as possible. You may be able to handle some minor issues with in-house personnel. But consult your legal and financial advisors — and possibly law enforcement — in more serious cases.
Contact us if you need help investigating a fraud allegation.
© 2020 Covenant CPA
You may think your business has enough insurance already. But if it’s vulnerable to employee theft and fraud — and most businesses are — you may want to consider adding more coverage. Some insurance companies offer policies to protect against loss of money and property due to criminal acts by employees. Here’s how to decide whether your business needs one.
Employee dishonesty insurance can cover not only theft of money, property and securities, but also willful damage to property. If, for example, an employee smashes a computer or kicks a hole in a wall, it’s likely covered. And this type of policy covers losses from all employees. However, coverage generally is based on occurrences. So if more than one employee is involved in a single theft, the payout will be based on that single occurrence.
Rates and deductibles typically depend on a business’s level of risk. But separate employee dishonesty insurance policies are likely to have higher loss limits and more customized coverage than is available with coverage offered as part of a business insurance package.
Employee dishonesty insurance covers only property your business owns, holds for others or is legally liable for. It usually doesn’t cover theft or damages caused by employees of businesses that provide services to your company. (For coverage related to third parties, such as contract workers, you may need to add “endorsements” or buy a broader business crime policy.)
Employee dishonesty insurance also generally won’t cover loss of:
- Intangible assets such as trade secrets or electronic data,
- Loss of employees’ property,
- Damage covered by another insurance policy, or
- The unexplained disappearance of property.
The burden of proof for employee dishonesty claims is solely on the policy owner. Insurance companies will pay claims only if there is conclusive proof that an employee caused the loss.
Finally, employee dishonesty insurance isn’t a substitute for a fidelity bond if a bond is required by a funding source or other contractual agreement. And such bonds can offer advantages. For example, Federal Bonding Program bonds, intended to encourage employers to hire hard-to-place applicants, reimburse employers with no deductible for loss due to employee theft.
Consider your options
Before buying employee dishonesty insurance, look closely at what your general liability or business owner’s policy covers so that you don’t pay for the same coverage twice. And keep in mind that some businesses — such as restaurants and retail stores, where employees often handle cash — may benefit from it more than others. For help determining what your company needs and finding affordable coverage, contact us.
© 2020 Covenant CPA
A Small Business Administration (SBA) loan can make big things happen for your small company. But the agency’s loan program is sometimes abused by con artists who know that many small business owners have little experience applying for financing and are, therefore, vulnerable to scams. Here’s what you should know.
Background on SBA products
The SBA provides various financing options with favorable terms and greater flexibility to small businesses and start-ups. It doesn’t disburse loans directly but gives lenders federal guarantees and backing to reduce lending risk. Individual businesses must themselves make arrangements with financial institutions that make loans.
Three key SBA programs are:
1. SBA 7(a) loans. This is the flagship product. It typically frees up working capital needed to acquire equipment, real estate or inventory.
2. Microloans. This program is more targeted. Smaller amounts are disbursed quickly to address short-term needs.
3. SBA 504 loans. This program is commonly used for commercial real estate purposes, such as the cost of buildings, land, equipment and renovations.
Look for red flags
If you’re applying for one of these types of loans, how can you avoid becoming a fraud victim? The government warns small business owners to be wary of companies offering to help them secure money from an SBA program. In particular, watch out for services that charge exorbitant fees or that guarantee you’ll get a loan if you work with them. In general, legitimate services don’t charge upfront fees to broker loans, perform credit checks or “process” applications. So if you’re asked to pay, walk away.
Fraud perpetrators also might claim that your business will be issued a forfeiture letter making it ineligible for any SBA funding if you don’t use their services. High-pressure sales tactics, such as threats or limited-time offers, are reliable indicators that you’re dealing with a fraudster. One way to verify suspicious claims is to call the SBA yourself.
Other bad actors may not ask for money at all. They’re simply after personal information that will enable them to steal your identity or access financial accounts. Don’t provide your Social Security number, bank account information or credit card information to any unsolicited caller or emailer.
Choose assistance carefully
Of course, many reputable businesses help companies apply for SBA loans — and they can make the process easier. But be sure to investigate the reputation of any business that contacts you. Better yet, ask trusted advisors or other small business owners for referrals.
© 2020 Covenant CPA
Some fraud schemes refuse to die. Jury duty scams existed long before phishing, malware and other cybercrime methods became synonymous with identity theft. Yet just this month, the U.S. Marshals Service issued a fraud advisory about this old-school con that’s enjoying a resurgence.
Here’s how jury duty scams work: Perpetrators posing as court officers, U.S. Marshals and other members of law enforcement call unsuspecting victims, warning them that they’re about to be arrested because they haven’t reported for jury duty. When the targets assert they haven’t been notified that they’ve been selected, the scammers ask for information to “verify their records.”
The information the scammers want, of course, is a victim’s Social Security number and date of birth. Some go a step further and request bank account information, claiming they need an account routing number and other details to facilitate the direct deposit of jury checks.
Alternatively, scammers tell victims that they can pay a fine in lieu of arrest. They request payment via a prepaid debit or gift card and ask the victim to read the card number over the phone. In some cases, crooks ask victims to deposit cash into a bitcoin ATM. Both methods ensure that the funds are unrecoverable once they’re transferred.
Know the facts
The truth is, courts virtually never call prospective jurors — even those who don’t report as scheduled. Most courts rely on the U.S. postal system for follow-ups and they never ask for confidential personal information.
Unfortunately, many people are caught off guard by this scam. Disconcerted to learn that they may be arrested for evading jury duty, even those who ordinarily would be cautious about providing personal information over the phone may give the callers what they want.
Remember that the spiel doesn’t matter. What’s important is that bogus jury duty calls are the same as any other telephone scam. You should never give confidential information or transfer funds to unverified callers&ndsh;even when threatened with arrest.
Report and verify
If you think you’ve been scammed by a con artist posing as a court or other official, report it to your local FBI office or the Federal Trade Commission. And if you’re unsure about whether you really do need to report for jury duty, contact your local courthouse.
© 2019 Covenant CPA
Like many sectors of the economy, the healthcare industry regularly suffers data breaches. Healthcare analytics company Protenus has found that nearly 32 million patient records were breached between January and June 2019 alone.
Alarmed? You should be. However, there are steps you can take to reduce the risk that thieves will get a hold of your medical records and use them for nefarious purposes.
Why they’re valuable
Unlike other types of personal data, healthcare records command a hefty premium on the black market. That’s at least partly because criminals can potentially use information about an individual’s health to blackmail him or her.
Also, stolen medical records include valuable details about people’s identities. In fact, there’s usually enough information in medical files to facilitate extensive identity theft. These schemes can involve health insurance-related fraud as well as financial account and tax fraud schemes.
What you can do
The following four steps can help you protect your personal medical and other data:
- Be careful what you share with providers. Healthcare providers typically ask for a lot of personal information, including your Social Security number. But you aren’t obligated to provide it. If in doubt regarding whether a piece of data is critical to receiving care, ask your provider. If the provider says the information is necessary, learn how it plans to use the data —and protect it from thieves.
- Read the small print. Apply the same caution to healthcare apps. Only provide access to data that’s critical for the service. Read the service provider’s terms and conditions and its privacy notice so that you understand how and where your data might be used.
- Closely review insurance statements. Sometimes the first sign of identity theft is an insurance company statement detailing medical services you didn’t receive. Go over every insurance document and contact your insurer and the medical provider immediately if you spot any discrepancies.
- Don’t assume privacy online. Revealing personal details online (for example, with a large group of “friends” on social media) may provide criminals with enough information to steal your identity. Keep in mind that a dedicated criminal could piece together a detailed profile of you simply by visiting multiple sites where you’re active.
If your data is compromised
If you fear your healthcare information was included in a data breach or has otherwise been compromised, consider contacting the three major credit bureaus to freeze your credit file. This prevents the unauthorized creation of new accounts. Also step up your monitoring of insurance statements to ensure no one is filling prescriptions or making office visits in your name.
© 2019 Covenant CPA
You may suspect that an employee has stolen from your company. But without evidence of a crime, you’ll have a hard time pursuing prosecution. So if you discover a fraud, first call your attorney. Then take immediate steps to preserve the evidence.
Safeguard paper documents
Place any hard documents related to the possible fraud in a safe location that’s accessible only to key people. The fewer who handle it, the better. Don’t make notes on any paper documents and, unless necessary, don’t let them be handled. Instead, make separate notations about when and where they were found and how you preserved them. A court case can be derailed if you don’t preserve the chain of evidence and can’t prove to a judge’s satisfaction that the documents haven’t been tampered with.
Handling paper documents is relatively easy as long as you approach the task with care. You can copy anything you need to continue operations and turn the originals over to a fraud expert or law enforcement for fingerprinting, handwriting analysis or other forensic testing.
Take care with technology
Digital evidence can be another story, especially if your IT
staff isn’t trained to react to fraud incidents. Even if these employees are
highly skilled at setting up and troubleshooting your computer applications,
they’re unlikely to be fully aware of the legal ramifications of having a
computer or mobile device used to commit fraud.
IT staffers could inadvertently alter or destroy evidence in the course of restoring a computer to normal operations. To avoid such mishaps, arrange for training so that these employees know how to respond to fraud incidents. They should be instructed to stop any routine data destruction immediately. If your system periodically deletes certain information &mdsh; including emails &mdsh; that process must be discontinued the minute you notify them that something is amiss.
If no one has a background in computer forensics, turn the investigation over to an expert as soon as possible. Forensic experts can identify and restore deleted and altered records, digital forgeries and files that have been intentionally corrupted. They also can access many password-protected files and pinpoint unauthorized system access.
If you’re unsure about how to handle fraud evidence, simply take steps to restrict access to it, then ask your attorney about the next step. Better yet, contact us before you discover fraud. We can help ensure you have the necessary training and procedures in place to preserve evidence if an incident ever occurs.
© 2019 Covenant CPA