A Company Full of Unethical Employees: The High Risk of Small Business Fraud
By Russ Gambrel, Senior Consultant, Finance & Advisors Practice at The Fahrenheit Group
I’ve spent a good chunk of the past two decades designing and assessing control systems for organizations of all shapes and sizes. I was working in Silicon Valley at the dawn of Sarbanes-Oxley and it was my experience that the vast majority of companies were finally giving their long-ignored operational controls some much-needed attention. Like so many other evolutionary changes in American business, this re-doubling of efforts was mandated by corporate scandal. And compliance in Silicon Valley was neither cheap nor easy in the post-Enron new world.
Perhaps the biggest surprise back then was just how vulnerable the smaller startups were to fraud and misappropriation of assets. It seemed counter-intuitive to me. Bigger companies have hundreds or thousands of employees to vet and track. They can be spread over disparate corners of the contiguous 48 in multiple facilities. Designing and maintaining such a large control infrastructure just seemed a much more daunting task than keeping track of 30 or less people in a single office. I was dead wrong. And lots of research since backs me up on this. Turns out the smaller the organization, the bigger the risk of fraud and abuse.
My go-to line when discussing internal controls with clients is as follows: a perfect set of internal controls is indifferent to who is operating them. A given organization with rock-solid financial controls could hire a company full of unethical employees and it simply wouldn’t matter. Try as they might, penetrating the defenses presented would be impossible without wide-scale collusion. And as a result, the closer employee trustworthiness gets to irrelevancy, the small business owner breathes easier.
Resisting a didactic lecture on the subject, I will simply tell you that the most impenetrable control systems are dominated by “prevention” controls at the expense of more “detection” controls. The former stops something from happening and the latter hopes to notify impacted parties after the fraud has already occurred (think locking the vault vs the paint canister that explodes in the getaway bag). But there’s a cost of having “prevention”-type controls only. They can wreak havoc on operational efficiency. For example, larger companies can afford to have multiple check signers. A small business, by contrast, might have only one or two in an effort to restrict access to bank funds. An effective control which could also serve to prevent the COD delivery man from getting a manual check while the only two signers are at lunch together. Thus, designing a solid internal control system requires many trade-offs between risk and efficiency.
According to the ACFE (Association of Certified Fraud Examiners) in 2014, companies with fewer than 100 employees incurred nearly 1/3rd of all instances of fraud. Fewer employees means less segregation of duties (like separating check signing authority from expense approval), too-generous IT system access rights (handed out to ease operational log-jams for the IT department), and inadequate oversight (as a result of smaller workforce) among other risk factors cited. Additionally, small business is disproportionately punished by fraud due to the increased likelihood that a given loss would materially impact a smaller balance sheet. In the end, there is ample evidence to suggest that many companies with less than 100 employees are likely overdue in 2017 for an internal controls re-assessment.
Russ Gambrel is a Senior Consultant with Fahrenheit’s Finance & Advisory practice. Russ has focused most of his career assisting companies of all sizes assess and implement practical and efficient controls across an organization’s processes and information technology systems. To learn more about improving your company’s performance through more efficient and effective processes, contact Russ at firstname.lastname@example.org.