Trust Your Employees? You Still Need Policies and Procedures
As a Certified Fraud Examiner I continually run into employers that say they have complete confidence and trust in their employees. While that is often true, it can be an excuse to implementing preventive measures. The correct policies and procedures can give an employer a way to help their trusted employees make the right decisions.
Today’s business environment is full of potential pitfalls for employees. Even the best of employees can succumb to these weaknesses. Let’s take a look at an example for a normal employee’s morning, and review what pitfalls could be waiting for a trusted employee who doesn’t have any mitigation from their employer.
Employee Name: Jamie Doe
Position: Accounts Payable Clerk
Organization: Electrical Contractor
Organization Size: 30 employees
8 AM
The employee arrives at work and begins opening emails. One of those emails contains a link to a site that will download Ransomware and encrypts files on the organizations servers. Another email, forwarded by her mother, contains links to pictures of puppies that downloads software that remembers the keystrokes Jamie will enter, including company passwords and passwords to her bank account. Without proper mitigating controls by the employer we are hoping this employee has had their coffee before opening their emails, and they make the right decision about the spam link and the links to the puppies. With organizational controls those spam emails are a lot less likely to appear in the employee’s mailbox. There are various degrees of mitigation for this situation.
9 AM
Jamie opens the snail mail from the previous day. She opens an invoice from CVT Enterprises for services performed for $356.50. She doesn’t know what this is for, but it comes monthly and for the same amount. She hates to bother other busy employees with questions so she enters it into QuickBooks for payment. The organization, CVT Enterprises, doesn’t exist, and is actually a former disgruntled employee trying to get money from the organization. Fraud has occurred even though Jamie is an honest and trusted employee. It’s a small organization so the typical mitigating control of segregation of duties doesn’t exist. We are trusting the very busy employee to verify the invoices are real, identify products and services on the real invoices are legit, approve them, and enter them into QuickBooks.
Obviously, I’m making this sound as bad as it gets. This employee is truly honest, but honest employees make mistakes and fraud can happen. There is a strong possibility that a very busy employee could receive an invoice from a trusted contractor for services and products which that employee has very little understanding of, and just sent it through to be paid. This possibly could happen for months or years leading to a fraud investigation that could reveal a very large loss. Mitigating controls would alleviate this risk, and help your employee to do the right thing.
10 AM
Jaime’s desk is in the front office off the lobby, and her job duties also include watching the lobby window for any visitors. Visitors are infrequent so it isn’t asking too much of Jamie, and she is happy to help out where needed. This day a gentleman in a Comcast shirt comes to the lobby window requesting to see the server room so they can do some updates. He assures the employee there will be no downtime. Jamie questions the gentlemen, but is reassured and lets him in the back room with the servers alone for 45 minutes. The fake Comcast Employee gets lucky. There are no time out polices on logins on the servers, and they proceed to download all data from the servers including customer data and credit card information. The goal of this heist is to sell the customer list to a competitor, and sell the credit cards on the dark web. The honest employee has made another mistake trying to do the right thing when mitigating controls would have prevented this situation.
11 AM
The employee enters receipts for other employee’s company credit card. In Jaime’s mind, as long as there is a receipt it is a good expense. Policies and procedures surrounding company credit card use doesn’t exist. The employee ends up entering fraudulent expenses but the employee is a 100% honest employee. Eventually an employee falls out of grace with management, and management asks to see their credit card expenses. The questionable expenses are found, but can’t really be acted on because there are no policy’s stating what a legit expense was. Again, trusting your employees doesn’t always produce the outcome you were hoping. A little help with mitigating controls can go a long way.
12 PM
Lunch time. Jaime, a completely honest and trusted employee, has unknowingly helped perpetuate several frauds in just her morning activities. Due to these activities, the organization will be forced to close its doors at the end of the year.
Most small organizations will never recover from a large fraud or data breach. The organization and Jaime thought they were doing the right thing. Do your employees have the proper policies and procedures to do their job correctly? Trusting your employees does not mean they won’t unknowingly help a fraud occur.
If your organization would like to continue a discussion on this topic, or other fraud related topics, please email me at dhammarberg@macpas.com.