Follow the Money

QuickBooks Security Enhancements 101 begin with password protection.  I know it’s no fun.  But it sure beats dealing with fraud.  Passwords have many benefits for a small business.  First, if a busy small business owner is willing to deal with the hassle of passwords (and yes there is a hassle factor) then it signals an interest in security that is matched with action. 

Limiting users to where you need them to be in QuickBooks is effective in terms of fraud control and limiting errors.  The only way to control user access is assigning passwords to users.  Doing it right requires setting up one user as the Administrator. 

The Administrator role is critical.  Ironically, it may be best to assign these tasks to trusted, senior employees who actually do minimal or no bookkeeping.  That's because the key functions of the Administrator are more related to understanding the concepts related to business financials, rather than making specific account entries.  This person will have unlimited access to all areas of QuickBooks and sets up the passwords and access permissions for all other users.  The Administrator is the one who can structure the company set up to make sure the use of passwords is mandatory.

The Administrator set up process should also include setting up the closing date.  (Many common frauds involve changing records from prior periods.)  This date should also be password protected. 

Finally the most important password tip is that they should be changed regularly.  Especially the Administrator password.

There are all kinds of best practices around selecting a password that can be discussed at another time.  While they are helpful, no password choice is bullet proof.  On the other hand, regular changes in passwords make it impossible to perpetuate fraud.  If your QuickBooks is set up to process credit cards, you’ll be required to change passwords at least every quarter.  Making it a company policy is yet another effort worth making. 

So here’s a true-crime example of small business fraud :

A hardware store owner purchases a new computer system.  Despite extensive training, his bookkeeper of 15 years cannot fulfill her duties on the new system.  In tears, she finally resigns.  Over the next two months, he finds that the accounts receivable are overstated by $80,000.  It turns out the bookkeeper was keeping two sets of books.  She billed customers and sometimes deposited their checks in the business account, and other times in her account.   She used different customer payments to “offset” the payments that hadn’t been given to the business.  It gets complex to keep this up, presumably the reason the new system was one item too many to keep track of.   

Let’s talk prevention and QuickBooks.  This scam is common and preventable.  Start with using the Aging Report to look at who is paying what bills.



Then compare this Aging Report against your actual bank deposits.  This is particularly easy if all your payments go to an account called Undeposited Funds.  Typically your QuickBooks preferences are set up to do this.  If that's the case,  then the program has automatically collected the information on each transaction.  As you move through the the bank reconciliation process, it’ll be comparing payments to deposits as you go.  Even though it’s fast and easy, it is important that someone other than your bookkeeper does this.  If you don’t have the staff,  use your accountant (who might also be a QuickBooks Proadvisor).  Please note the link is a shameless plug.

Seriously though, without someone else checking the books this type of scam is pretty easy to do (after all the bookkeeper is essentially doing the same set of steps required for their day job) and relatively hard to detect.  Just double checking this one part of the process when you do the reconciliation can easily pay for itself.  Small effort with big pay off.  The key is doing it consistently.   

My intent here was to focus on combating fraud with QuickBooks, but some new cyber scams that put businesses at risk caught my attention, and I wanted to highlight them as well.  One is called "ATM skimming".  The way this works is that a crook adds some equipment to an ATM that causes you to inadvertently either give away the card number you are using and the PIN that goes with it.  Yikes!  There are a number of ways this is done, either cameras or scanning devices surreptitiously installed on the machine.  According to the folks at Bankrate.com fraudsters take about $1 billion a year this way.  Bankrate warns that you need to report missing money from your account within 2 days to be protected by your bank.  If you report it within 60 days your liability is limited to $500.  Besides regularly checking your bank balance, other tips to prevent skimming include:

-  Place one hand over the keypad when you key in your PIN

-  Use a number of ATMs regularly and keep switching between them.  This will allow you to notice if anything has changed about the physical configuration of the machine and the area nearby.  (If so, don't use it unless your bank verifies they made the change.)

-  Stay away from ATMs that are in dimly lit / isolated areas.  It's harder to keep track of changes to the machine and easier to install camera that can't be detected. 

The second type of theft involves malware getting into your computer and gaining access to your onlin account information.  Just at the end of September dozens of arrests were made world-wide breaking up a ring that used a version of the "Zeus Trojan" program to do just this.  The ring allegedly stole about $70 million dollars.  JP Morgan Chase, E*Trade and TD Amertirade accounts were among those compromised.  Again, the biggest prevention tool here is regularly checking bank balances to make sure they're where they belong.  (This is where QuickBookscan be a big help. It would take some setting up, but you could monitor accounts through reports on their balances.)   Making this particular crime ring even worse than those seen previously was their practice of jamming the victim's phone line for a week.  The bank can't reach you and you can't reach them.  If you think this is happening to you, a non-phone alternative is notifying the FBI at the Internet Crime Complaint Center Website. 

It’s true that many of the steps associated with protecting your business are not obvious or intuitive at first.  However, some are easy and easy to remember.  One of those for QuickBooks users is the Audit Trail Report.  If there’s malfeasance or error in your books one would expect to see it in the Audit Trail Report.   That’s a pretty good assumption, though the report does have some blind spots.  First though, let’s look at what it does do.

To do this task

1.    Go to the Reports menu and click Accountant & Taxes.

2.    Click Audit Trail.

In a nutshell the Audit trail report lists any changes to an accounting transaction and what user initiated that change and when.  Each time a transaction is changed, the report will highlight the changes in bold italic type.  Each transaction heading is in bold and it details the type of transaction and which is the latest version of the transaction.  If a transaction is changed more than once, the changes are sorted by date.  Here's a sample of what you'll see...

If you check this report regularly you’ll get to see patterns of changes that can be used as a guide to areas for improving both employee training and tips for areas to investigate.  If your accountant reviews your QuickBooks regularly, have them take a look at the report and then give you a heads up if they see any patterns or things that should be changed.   It’s not just fraud that comes up here,  the report can show errors as well. 

One big caveat is that the audit trail monitors changes to transactions.  It does not looking at changes to lists.  So if you merge accounts or “delete” a user that information won’t show up on the report.  It’s not bullet proof, but what information it does provide is helpful. Mistakes in bookkeeping cost real money.  Putting some energy into fraud and error protection is time and money well spent.