A 'low-tech' fraud that can cripple companies
This post by Bird Lovegod was first published in the Yorkshire Post
Business is hard enough without having to worry about losses through fraud. Which is why many small businesses, charities, and organisations don’t give it a thought, and in doing so expose themselves to damaging and in many cases easily avoidable losses.
In this article I’d like to draw attention to one of the most frequent and persistent kinds of fraud, often called ‘authorised signatory’ fraud. It’s surprisingly common, the losses can be slight, or run into millions, and it’s often quite ‘low tech’ because it’s done by a trusted person within the company or organisation.
In large companies the roles of employees tend to become increasingly narrow and specific as the volumes of tasks increases. Counter to this, in SMEs and SMO’s (small charities and non profits) it’s usual for people to have many roles and duties, it’s part of the requirements and comes with the job.
This creates circumstances where the same person might be responsible for opening the post, logging payments, doing the daily accounts, sending invoices, and running the payroll. And this is where the risk is. If one person has the ability to act dishonestly across enough processes they have the potential, if they are so minded, to take money or goods from the organisation and cover their tracks as they do so. It’s a serious crime and a breach of trust that can go on for years. Here’s a few questions for Directors to ask:
Is there potential for creating false invoices, with the money being paid to the fraudulent account?In enterprises with high frequencies of purchasing across many suppliers and low levels of control it’s very easy for this to happen. Any business can be at risk, from restaurants and retailers to service providers and agencies. In the HR processses is there potential for creating ‘false employees’ especially temps and off site workers, increasingly so in the modern era of freelancers. Big organisations can be particularly susceptible, a recent instance saw an NHS nurse leave the profession but return to the hospital every week for several months to hand in a fraudulent time sheet.
Cheques are quickly disappearing from personal banking but many businesses and organisations still use them, especially those who have yet to go ‘fully digital’. Then there’s instances where companies hold monies for customers on deposit. This could be as simple as a company taking deposits for goods, or in tech companies, when customers have a credit account.
So, what can responsible managers do to prevent authorised signatory fraud?
Much of the solution is the way roles and duties are structured in a company. The main thing is to ensure no one individual has ‘end to end’ financial ability within their department. In practice this means making sure it’s at least a two step process to generate and pay for invoices, payrolls, and other expenses, and that different people are required for the stages. A list of approved suppliers should be created, and practices put in place to make it impossible to add a new supplier without proper checks being conducted. The recipient bank accounts should be checked for duplicates, as should those of the payroll if it’s extensive. It’s a lot easier to build a fraud resistant system than it is to back check years of transactions, and prevention should be the first thing to consider.
There’s also technological solutions to authorised signatory fraud on the market, frequently using blockchain technology to create ‘trustless’ systems. These are systems in which it isn’t necessary for everyone to trust one another, because the system itself ‘auto checks’ every process and transaction against a set of rules. Blockchain company Cygnetise have already rolled out a proven system for approval of authorised signatories in large organisations. It may be some time before such platforms are a viable choice for smaller enterprises, so the most important thing is for the financial controllers, directors, and owners to get involved and make sure the systems they have in place are rugged and secure. In many instances, they’ll be surprised how vulnerable they’ve been all these years.