Inside Job

By SmallBusinessComputing Staff | Posted November 02, 2001
By David G. Propson

One day in late March, Pete Saewert noticed a problem with the checks his company had issued the previous month: Some of the check numbers did not match up to a payee listed in the register. Saewert asked Marilynn Bozec, the company's accounts payable clerk, for the bank reconciliation records. When these did not resolve the problem, he asked to see the cancelled checks themselves.

Saewert is director of finance for Holoubek Inc., a Pewaukee, Wisc. screenprinting company that specializes in Harley-Davidson apparel. The 85-person company ranks among the top 100 companies in its industry, according to the Screenprinting and Graphic Imaging Association. While Saewert examined the checks, he told investigators, Bozec waited outside his office, pacing nervously and peeking in. He couldn't find the missing checks, and called the bank. The next day he was told who check #87631 and check #87677, both for more than $19,000, had been issued out to: Marilynn Bozec.

Bozec's job responsibilities included general accounting, reconciling invoices, setting up payments for those invoices, and processing reports. When an invoice was received, she would generate a company check using Holoubek's accounting software. These checks, drawn on the company's general checking account, then were forwarded on to Saewert for his signature.

But in some cases, Bozec changed the name on the checks. First she would enter the name of a legitimate vendor into the accounting program. Next she would change the payee on the actual check to herself, her daughter, or a bank or credit card company she owed money to. After she printed out the check, she would reenter the accounting program and alter its records to show that the check had been made out to the legitimate vendor. When the cashed checks were returned to Holoubek, she made sure to get to them first, and shred them in the company's shredder.

Eventually Saewert and his boss, Vern Holoubek, would determine that Bozec had stolen more than half a million dollars over the course of almost four years. According to prosecutors, Saewert confronted Bozec and told her she would be terminated unless she could offer an explanation. 'I can't explain but I can give you the money back,' she said. 'I'm so sorry, Pete.' As she was being escorted from the building, she wrote out a personal check for $40,000, and said she hoped Saewert could forgive her some day.

Holoubek, understandably, is reluctant to talk about the case, since criminal and civil cases against Bozec are still awaiting trial (she doesn't challenge the facts of the case, but does disagree with the prosecutor's estimate of total loss). But court documents clearly portray that a serious crime was committed, and that it seriously hurt the company.

'You can never say that someone committed a fraud,' says Holly Sharp, a CPA and certified fraud examiner at Laporte, Sehrt, Romig & Hand in Metairie, La. 'That's for the courts to decide.' For business owners looking to learn from Holoubek's experience, what's important isn't who committed the crime, but how it was committed and how it might have been prevented. New technology has made fraud easier, but also can help companies avoid it - if they know how to use it.

How Bad Is It?
The pervasiveness of fraud among small companies and the extent of damage done is difficult to gauge. Most companies don't tell the authorities or file charges. 'It's grossly underreported,' says Todd Shipley, head of the financial crimes unit of the police department for Reno, Nev. 'Some companies just want to get on with business.' But in 1995, the United States Chamber of Commerce reported that 30 percent of all small business failures resulted from internal crime. While business owners fret over hackers, online security, and credit card fraud, the real threat lies closer to home.

'All fraud is broken down as internal or external,' explains John Warren, associate general counsel for the Association of Certified Fraud Examiners. 'Both occur in small businesses, but by a wide margin the larger risk is internal.'

The way fraud is perpetrated depends on the type of organization, Warren says, and different types of business are vulnerable to different types of fraud. A retail business may be the victim of skimming, in which sales are simply never recorded and employees pocket the money; such losses usually only show up as a mysterious 'shrinkage' in inventory. Manufacturing companies are vulnerable in their shipping departments, where large quantities of product are being transported and exchanged. Professional firms, meanwhile, are most vulnerable through their billing processes.

But among all groups, small companies tend to be at a greater risk from fraud than large ones, according to Warren. 'Small businesses are particularly vulnerable to fraud,' Warren says. 'They tend to put a lot of control over their finances into the hands of a single person. The owner has pretty much placed blind trust in that bookkeeper.'

Small businesses also are less able to withstand large losses. 'The loss of $100,000, to some people, means the end of the company,' Warren says. But the problem isn't just that small businesses have a smaller margin for error: They're often taken for more money than larger ones. The ACFE's 1996 'Report to the Nation,' which studied 2,600 fraud cases among companies of all sizes. For companies that had fewer than 100 employees, the median loss was $120,000, the second highest in any category. 'As the number of employees went higher, the size of the average amount actually went up,' Warren explains.

'Small companies don't have the money, they don't have the expertise, and they don't know where to go,' Shipley says. 'They don't know how to deal with the technology or how to protect themselves.'

Technology Makes It Easier
Embezzlement, unfortunately, has been made easier by the widespread adoption of computerized accounting programs. Businesses who do not use such programs thoughtfully or systematically may find fraud hard to prevent and even identify.'When you have computers involved, it gets a lot more complicated,' Sharp says. 'If you've got someone really sophisticated, it's easier to cover up their actions.' Old versions of documents are usually written over automatically, so that it is hard to compare original documents to new ones, which may contain fraudulent information. 'In a manual system, everybody had the ability to check old documents,' she says. 'Now, if you're not checking the source documents, it can go on for months or years before it's discovered.'

But technology only exacerbates the fraud risks small businesses already face. Small organizations frequently lack what investigators call 'internal controls.' Too often, all crucial accounting tasks are assigned to a single employee. Ideally, one person should issue payments and another should reconcile the cancelled checks with the company's payment log. Such controls help prevent fraud and can help the company catch innocent accounting errors, as well.

Small businesses often don't have enough staff to do this. And companies that have computer networks but don't know how to manage those networks may be at a greater risk than those with no networks at all, according to Shipley. If the company's financial records are stored on the network, they may be accessible.

How to Protect Yourself
Businesses can take a few simple steps to protect themselves. Make sure someone in a position of responsibility - the CEO, if necessary - receives the bank statement, unopened, every month. They can then easily identify any major discrepancies. (Holoubek's curious accounting went unnoticed for almost four years, remember, but was quickly resolved once it was noticed.)

Companies with networks should restrict access through passwords and other mechanisms. However, Sharp points out, they should not make the mistake of limiting access to accounting files to too few people, as that can lead to a lack of oversight. The designated network administrator, at the very least, should have access to these files.

Tech-savvy companies also have access to some useful tools that can help prevent and identify fraud - if only they would use them. By automatically backing up data on their networks, they can provide investigators with previous versions of vital documents, which will help identify discrepancies. An archive of the network's administrative logs will provide a record of who accessed which files when.

'You need to know who does what,' Shipley says. 'From an embezzlement point of view, the biggest problem we have is that businesses have no control over who has access to data. Businesses secure networks from the outside, but not from the inside.'

Most accounting programs also provide ways to track changes and identify irregularities, according to Sharp. For example, one common method embezzlers use to cover up what they've taken is to issue two checks for identical amounts - say, the $900 owed for the company's phone bill. One actually will be made out to the vendor; the other will have the employee's name on it. In the ledger, however, both will seem to be written to the phone company. It's difficult to identify such fraud unless someone happens to see both cancelled checks. But if someone at the company occasionally uses the 'Sort by Vendor' function of their software, the double withdrawal will become immediately apparent.

'Typically, you're buying canned software and they've already incorporated many of the controls for you,' Sharp says. 'You've already paid for this protection, but if you don't read the manual you're not taking full advantage of it. You own the program and you're not even using it.'

A sophisticated criminal would be able to find their way around such safeguards, but most employees who commit fraud aren't particularly sophisticated, according to James Adler, an independent fraud examiner (formerly with American Express) who now works out of Chicago. Most fraud crimes are eminently preventable and are often easily noticeable - provided someone is watching. 'All you have to do is look at the books and someone, somewhere down the line, has got to see it,' he says.

Investigating Fraud
Investigators sometimes may be able to reconstruct or rescue deleted original documents using a new variety of techniques known collectively as 'computer forensics.' 'Any modification that's been made to your computer is still there,' Sharp explains. But such attempts at reconstruction can only be made after the crime has been discovered, and as Sharp notes, can be very expensive (usually somewhere between $150 and $300 an hour).

'It's just starting to be used,' Sharp says. 'We haven't seen many cases where it went to that extreme, but clearly it's right around the corner.'

Shipley points out that companies can avail themselves of police investigator's forensic skills free of charge - provided they are willing to file criminal charges. He recommends that all businesses, even if they have no current problems, talk to their local authorities about what they should do if they do detect a fraud, whom they should contact, and how they should proceed.

Not all police departments are expert enough to handle such investigations alone (though many are improving) and local FBI authorities may need to be called in to help. Ask if they're equipped to handle computer forensic investigations and if they are experienced on network investigations as well as PCs. 'Knowing ahead of time who to call will give you an idea of what you need to do,' Shipley says.

One thing a company should never do is attempt to perform an in-house computer forensic investigation using off-the-shelf data recovery tools. 'There's a serious difference between recovering a deleted file because you lost it and recovering it for presentation in a court of law,' Shipley says.

The People Problem
Once the fraud has been identified and the damage determined, business owners may have to deal with their own sense of betrayal and the effect of the event on the culture of the business as a whole. But first, they'll need to deal with their employee.

'The typical person who steals is a trusted employee who has been with the company for many years,' Jim Adler says. In part, this is because newer employees are less likely to gain positions of trust and authority. But it also explains, perhaps, why so few fraud cases are actually reported. It's a traumatic event for both parties. Many employees, like Bozec, say they intended to pay back the money, and that things simply got out of control.

'Generally speaking, most people who steal, it's the first time they've ever been in the situation,' Adler says. 'People get away with stealing a dollar, and then they try to steal two dollars.'

When she was told that the amount of money she had withdrawn was more than $750,000, Bozec was surprised. But she admitted that over time her acts had begun to blur and she had simply generated checks whenever she needed money. She said she had given some to her daughters, had paid off her credit card accounts, and had used money to pay off personal bills, to travel, and to purchase goods for a side business she had started. She had purchased a Cadillac, a Ford van, and a motorcycle.

But the majority of the money Bozec took she gambled away. She went to a nearby casinos and had spent about $3,000 to $4,000 a day, every day, for the past two years. Adler says that employees often have personal problems. Ultimately, the crimes they commit hurt not just their employer, but themselves.

Most people won't become criminals unless they have a need, and have some way of justifying their acts to themselves, Adler says. The key, then, is to not give them a chance. 'If they have the justification and the needs, but they don't have the opportunity, they won't steal.'

Companies can take practical steps to protect themselves and their employees by creating policies and implementing technology that deters fraud. They can also show positive concern for the welfare of their employees. 'In a small company where you can't have internal control, but [do] have alert and involved management, you're less likely to have an embezzlement,' Adler says.

So pay attention: You just might save your employees - and your company - from themselves.

David G. Propson is senior editor at SBC.

Comment and Contribute


     

    Get free tips, news and advice on how to make technology work harder for your business.

    Submit
    Learn more
     
    You have successfuly registered to
    Enterprise Apps Daily Newsletter
    Thanks for your registration, follow us on our social networks to keep up-to-date