Follow the Money

Intuit provided this true-fraud example in a recently published Security White Paper.

  “Here’s a real real-world fraud case that involved an employee who modified deposits to steal money owed the business:  This particular business provided music and art lessons to students. The employee would accept a customer payment, and then post the payment to the customer account. The employee would then enter a discount on the Receive Payments window offset to some catch-all account such as Opening Balance Equity, an account that has a significant overstated or understated balance for most companies. Cost of Goods Sold and income accounts carry large balances, too, so employees may try to bury activity in the detail of those accounts as well.”

 One way to catch this kind of fraud is to make sure you – or someone who is not responsible for bank deposits  -- is on top of Receivable collection.  To start, make sure your aging report and your general ledger balance are exactly the same.

 It’s also worth the time and trouble to follow up on partial collections and receivables that don’t have complete information.  It helps you get paid more promptly, ensures your receivables are in good shape should you decide to seek credit and reduces both errors and fraud.  Pretty good return on investment for your time or the use of a QuickBooks Proadvisor.  (Guess who I’m thinking of with that last suggestion.  LOL.)



If I were the type of person who was intrigued with tattoos I’d probably have the words "segregation of duties" on my arm surrounded by a heart.  (Trust me, there's no danger of this actually occurring, it was just a thought.)  It’s not the only component of internal control that’s important, but it’s an action you can take that immediately provides a layer of additional protection.  This protection is from both errors and abuse, so the benefit to your business is quickly larger than the effort expended.

Quickbooks provides a tool for de facto segregation as you set up a new user.

Creating different access points for different users is the obvious intended use of this feature.  I'd like to highlight one other important component of this selective access capability.   You can configure rights for existing transactions.  This option controls the users ability to manipulate existing transactions.  In particular this feature stops the user from changing or deleting a transaction, even if he or she created it in the first place.    This is one case though, where the fine print is really important.  Here’s the key info directly from the QuickBooks 2010 Manual.

 - Note: If you do not give a user permission to delete transactions, he or she can still delete a transaction they create as long as it was created during the same QuickBooks session.

 The emphasis is added.  So if your bookkeeper leaves QuickBooks open and just puts the computer in power save mode rather than turn it off, the session never ends.  You’ve put in the safety feature, but it’s in effect disabled. 

This is a vivid example of why it's important to consider your control environment, not just the technology.  The software protection can only take you so far.  Having policies and procedures around how financial recording and reporting is done is a key success factor for internal control.  Consistently enforcing and practicing them is another equally essential step.  The combination is a winner each and every time.  Remember, a thief only has to get lucky once. 

So here’s a true-crime example of small business fraud :

A hardware store owner purchases a new computer system.  Despite extensive training, his bookkeeper of 15 years cannot fulfill her duties on the new system.  In tears, she finally resigns.  Over the next two months, he finds that the accounts receivable are overstated by $80,000.  It turns out the bookkeeper was keeping two sets of books.  She billed customers and sometimes deposited their checks in the business account, and other times in her account.   She used different customer payments to “offset” the payments that hadn’t been given to the business.  It gets complex to keep this up, presumably the reason the new system was one item too many to keep track of.   

Let’s talk prevention and QuickBooks.  This scam is common and preventable.  Start with using the Aging Report to look at who is paying what bills.



Then compare this Aging Report against your actual bank deposits.  This is particularly easy if all your payments go to an account called Undeposited Funds.  Typically your QuickBooks preferences are set up to do this.  If that's the case,  then the program has automatically collected the information on each transaction.  As you move through the the bank reconciliation process, it’ll be comparing payments to deposits as you go.  Even though it’s fast and easy, it is important that someone other than your bookkeeper does this.  If you don’t have the staff,  use your accountant (who might also be a QuickBooks Proadvisor).  Please note the link is a shameless plug.

Seriously though, without someone else checking the books this type of scam is pretty easy to do (after all the bookkeeper is essentially doing the same set of steps required for their day job) and relatively hard to detect.  Just double checking this one part of the process when you do the reconciliation can easily pay for itself.  Small effort with big pay off.  The key is doing it consistently.   

My intent here was to focus on combating fraud with QuickBooks, but some new cyber scams that put businesses at risk caught my attention, and I wanted to highlight them as well.  One is called "ATM skimming".  The way this works is that a crook adds some equipment to an ATM that causes you to inadvertently either give away the card number you are using and the PIN that goes with it.  Yikes!  There are a number of ways this is done, either cameras or scanning devices surreptitiously installed on the machine.  According to the folks at Bankrate.com fraudsters take about $1 billion a year this way.  Bankrate warns that you need to report missing money from your account within 2 days to be protected by your bank.  If you report it within 60 days your liability is limited to $500.  Besides regularly checking your bank balance, other tips to prevent skimming include:

-  Place one hand over the keypad when you key in your PIN

-  Use a number of ATMs regularly and keep switching between them.  This will allow you to notice if anything has changed about the physical configuration of the machine and the area nearby.  (If so, don't use it unless your bank verifies they made the change.)

-  Stay away from ATMs that are in dimly lit / isolated areas.  It's harder to keep track of changes to the machine and easier to install camera that can't be detected. 

The second type of theft involves malware getting into your computer and gaining access to your onlin account information.  Just at the end of September dozens of arrests were made world-wide breaking up a ring that used a version of the "Zeus Trojan" program to do just this.  The ring allegedly stole about $70 million dollars.  JP Morgan Chase, E*Trade and TD Amertirade accounts were among those compromised.  Again, the biggest prevention tool here is regularly checking bank balances to make sure they're where they belong.  (This is where QuickBookscan be a big help. It would take some setting up, but you could monitor accounts through reports on their balances.)   Making this particular crime ring even worse than those seen previously was their practice of jamming the victim's phone line for a week.  The bank can't reach you and you can't reach them.  If you think this is happening to you, a non-phone alternative is notifying the FBI at the Internet Crime Complaint Center Website.