Take Action Against Fraud - 5 Things You Can Do Today

Webinar Description

No one wants to think about fraud occurring in their business, but did you know that the latest research shows that businesses with fewer than 100 employees suffered the highest median loss... to the tune of $150,000. Moreover, the median duration of fraud - the typical time between when a fraud begins and when it is detected - is 14 months.

Doesn’t sound good, does it? Small businesses feel the impact of a loss of this size much more than larger organizations. The good news is, it doesn’t have to be that way. Join us for a discussion on proper controls that accounting firms can put in place for their clients or you can put into place today to protect your business.

Learning Objectives:

• Identify common fraud schemes

• Recognize processes that may be susceptible to fraud

• Determine controls to guard against fraud

Speaker(s): Laura Redmond - Founder & CEO, Redmond Accounting Inc.

Webinar Transcript

Christine

Hello everyone, and thank you for joining us on cpaacademy.org. My name is Christine, and I'll be your moderator for today's one-hour webinar on Take Action Against Fraud: Five Things You Can Do Today, sponsored by bill.com. All right, first thing's first. Let's make sure you can hear and see everything okay before we get started. If you don't mind heading over to your GoToWebinar control panel and locating the questions box there, if you could just type me a quick message to let me know that you hear my voice, you see the title slide of the presentation on your screen, and while you're there, I always love to know where everyone is tuning in from across the country or across the globe.

All right, so I'm seeing Texas checking in, see a couple of Texans checking in here. Welcome, welcome. All right, Maryland welcome, South Carolina, Las Vegas. North Dakota's checking in. Virginia, hello. Idaho Mountains, Connecticut, Arkansas, Chicago, welcome neighbor, Pittsburgh, Vegas. All right. Scrolling through here, and it looks like everyone is good to go so far. If you do experience any technical issues or you have any questions or concerns, or if you have any questions that may come up for you for our presenters during the webinar, this is where you want to put them.

All right, so let's go over some housekeeping for credits. Today's session is going to qualify for one CPE credit, and in order to earn the full credits today, you want to make sure that you stay logged in for at least 50 minutes of our allotted time and answer a minimum of three out of the four polling questions. We will actually be having five polls today, throughout the presentation, and each time a poll is launched, you will see a poll box take place of where you currently see the presentation slides, and you will be able to select your answer and submit your vote. To earn full credit on the polls, remember, you need to answer at least three out of the five polls.

All right, and now once the webinar's over, we're going to make sure to process your CPE credit, and that will be available in your CPA Academy accounts within 24 hours. And for handouts, if you haven't downloaded them already, you can locate those on your GoToWebinar control panel, under the handouts box, so you can easily download and follow along or refer back to them in the future. If you have any issues downloading the PDF, you can let me know in that questions box and I can send you over the link, but we also have copies of the handouts waiting for you in your CPA Academy accounts. All right, that's it for me for now. Let me step out of the way and give a warm welcome to today's presenters, Diana Tucci with bill.com and Laura Redmond with Redmond Accounting. Take it away Diana and Laura, the floor is all yours.

Diana Tucci

Thanks, Christine. I am Diana. I'm the marketing manager at Bill.com. I'm pleased to welcome you to today's webinar, Taking Action Against Fraud: Five Things You Can Do Today with Laura Redmond. For those who aren't familiar with Bill.com, we're a leading provider of cloud-based software that simplifies, digitizes, and automates complex back office financial operations for small- and mid-sized businesses. Our customers use AI-enabled platform to manage their end-to-end financial workflows, process payments, manage cash flow, and create connections between their business and their suppliers and clients. We partner with several of the largest US financial institutions, including the majority of the top 100 US accounting firms, and we integrate with leading accounting software providers.

I'm excited to welcome back today's speaker, Laura Redmond. Laura is CEO of Redmond Accounting, a boutique accounting firm providing client accounting, advisory, and consulting services centered around QuickBooks Online and its ecosystem of apps. She was also awarded 2019 Top Client Accounting Services Pro Advisor, so without further ado, please join me in welcoming Laura Redmond.

Laura Redmond

Thanks so much, Diana. Hello everyone. I am so glad you could join me today. Our topic is fraud, a word that causes most of us to shudder. As Diana was saying, I want to introduce myself a little bit, just to tell you about my experience, so you know where I'm coming from, and as Diana was saying, I run a firm called Redmond Accounting, Inc. We are based outside of San Francisco, in Silicon Valley, and we have staff in California, Ohio, and Arizona. We moved all of our clients to QuickBooks Online, and bill.com, and Expensify, and other cloud apps like this in 2011, even before that, but everyone was transitioned by 2011. So we've been working in the cloud and creating for our clients this paperless, web-based type of accounting environment for this past decade.

Our firm provides client accounting services, so we act as the accounting department for our clients, the bookkeeper, the controller, the CFO. We don't do tax. We don't do audit. And we provide technology services, where we build this cloud accounting infrastructure for businesses who then have their own staff, their own accounting department to do the work. They just have us set it up, and we're in their back pocket as support. We also help other accounting firms, by training their staff and implementing cloud accounting infrastructures for their clients. We act as the technology division, white labeled, for other accounting firms.

All of that cloud accounting experience over the past decade led us to create this tool that we needed to run our firm, and that tool is called Aero Workflow, so in addition to the accounting firm, there's a separate company called Aero Workflow that I spend a great deal of time working with, and that allows us to schedule all of the various tasks that we have. We can schedule them in their recurring frequency and delegate all of our tasks to each of our different staff. We have separation of duties, and all of this stuff is going to kind of come into play is what I'm talking about today. And accounting firms around the world use Aero Workflow to run their accounting firm.

Then the third thing I spend a lot of my time on is I'm a member of Intuit's trainer writer network, and I do webinars with Intuit, and bill.com, and LivePlan, and other cloud-based apps like that. I coauthored a lot of Intuit's QuickBooks Online certifications for accountants, and I've traveled a bit around the country, teaching at accounting technology conferences. All of that type of work I do is really kind of the same thing. It's all centered around QuickBooks Online and its ecosystem of apps. In addition to those apps, there's also the very important new method of workflow, how you do things, that is called for in this cloud environment.

Okay, so that's me, and as we get into this topic of fraud today, I thought it would be fun to talk about a few stories. I like stories, so I'm just going to tell a few stories. Our firm is celebrating our 16th year in business, and we are not certified fraud examiners. You would expect fraud examiners to see a good bit of fraud, but we're general practitioners, and we have also seen fraud, so I just want to tell you a few stories that we've come across personally, just in the normal course of business that we do. If you have been witness to fraud, then these stories may resonate with you, and if you have not, then my hope is that these stories help you prevent it from happening to you or the businesses you work with. There's no fear intended here, just sharing stories, sharing experience.

My first story is one day, we got a call from a growing company that had about 50 employees. They had been referred to us. They needed a new accounting department, and it was urgent they said. Their bookkeeper, their employee bookkeeper, had just quit the last day of the month. One of her duties was printing the weekly vendor bill payments. The company's blank paper check stock was kept in a locked drawer. She had to ask the manager for checks every time she went to run a check run, so they had systems in place. She had to tell, the bookkeeper had to tell the manager how many checks she needed, the exact number that she was going to need to print.

Now, recently, by the time they called me, they said that recently, there had been several paper jams. They were thinking back, from what the bookkeeper had told them, that there had been several paper jams in the printer, and the bookkeeper had had to ask for a few extra checks. After the bookkeeper quit, the bank statement arrived, and they discovered that the bookkeeper had been printing checks made payable to herself, and forging the principal's signature, the check signer's signature. Luckily they found it, but they had a lot of financial activity in their business, and they felt that it very easily could have gone undetected, so they worked with local authorities, and in their situation, those checks were smallish, but they added up to $17,973.53.

So, beware of employee fraud. It does happen, and one little tip I'll give you that we learned during this experience was, this is just an aside, that if this ever happens to you and you catch it, you can at least, this is not a great comfort, but you can actually send a 1099 to the criminal, so that in addition to whatever other punishment they receive, they will also have to pay tax on the amount stolen. Anyway, there is one story.

Another story that we've seen as a firm is one day, we received an email from an existing client, and they were authorizing a payment by wire to one of their vendors. It was a large amount, but not out of the ordinary for this business. The amount of the wire was $1.4 million, but that was not the only time that kind of money had moved hands with this company. It had a trail of... The email we received had a trail of emails below it, where you could see the vendor had sent the supporting documentation, and people were replying back and forth. There were just... You could read the conversation there. We even recognized the project name that this wire was referencing. We had made some other payments recently for that same project.

In this situation, all wires, the procedure was that all wires require written and verbal approval. So, we call the client, using the number that we have on file, to confirm the wire, and we discovered that the client knew nothing about this wire. They did not request it. So then, we, the client and our firm, went into investigating that email request for that wire payment, and we found that the sender's email was very similar to our client's email domain. So we thought it came from our client, but when you look really closely, the criminal had added one letter into the domain name. There was an R in the domain name, and they added a second R. You just can easily miss something like that. It was not noticeable.

In addition to the fraudulent wire request, it was disturbing to all of us, to us, to our client, that the criminal had tapped into this business's secure email account, to their domain, and gotten ahold of an actual email conversation, which they were able to jump in on and forward along to us, and even know to forward to us as the payment group, with the fraudulent wire payment request, so it had actual employee names, and email addresses, and the vendor, and the project names, so it looked really legitimate. That can happen, and this story is to say beware of email fraud, and you'll hear email fraud also called BEC, or business email compromise. That's one of the terms they use for this.

My third story is one, about maybe three or four years ago it's been now. A client of ours, so this is an existing client, another one. These are all separate clients. They forwarded us an email, as their accounting department, that they had received from a police officer in another state. They said, "What is this about?" So we looked into it. The police department was investigating a check that an individual's trying to cash, that was flagged as fraud. We immediately went into like fraud alert feeling. You know that feeling that's like, "Wait, what's going on? Who do we trust? What's happening here?"

First, we called the police department, but we didn't even know if that was a legitimate police department, so we went out publicly to find that city's police department, and got the number that way, and called that police department to verify that the person who had sent the email was in fact a police officer, and yes it was, so that part was legitimate. So then we started working with that police department. The officer sent us a copy of the check, and it had our client's company name and address in the upper-left corner. That was correct, but the payee name and the dollar amount didn't match anything in our records, so the check had been altered.

Then, over the course of the next hours, we started to receive similar reports, in that same day, from other states, about checks that did not match anything in our system, $1,978, $2,300, $7,812, and then one came in for $450,000. A check had been stolen, washed, duplicated, and then used en masse, all over the country, different states, Washington, Georgia, Maryland, the same day. They hit all at once, trying to get cash. Our client's anxiety, our anxiety was rising as the day progressed. The local police department stepped in and led an investigation, where they worked with all the precincts around the country, in the different states that were involved on this case, and the fraud attempts continued to happen over the next several months.

We did keep receiving more and more, but in the end, the lead detective sat down across a conference table with me, the client, their whole legal team, and security team, and confirmed that not one penny was ever stolen, and the reason not one penny was ever stolen was because our client was using bill.com, and bill.com's fraud prevention features prevention features prevented it. The detective had not heard of bill.com before that, and he was a fan by then. So our client's checking account was safe, because bill.com's routing and account numbers are on every check that goes out. Our client's account number was not on the check, and so our client's bank account number was safe.

In addition to that, bill.com automatically, on every check, you don't have to turn it on, bill.com automatically uses positive pay service on all checks, so none of those fraudulent checks were successfully cashed, because they all had different dollar amounts in the system than what the person trying to cash it did. So our client was safe and bill.com was safe. That story is just to tell you to beware of check fraud. These three stories I'm telling you, again, I don't mean to incite fear at all. Just want to mobilize you to protect yourself, because these are just three that I've seen, and I'm not generally working necessarily in fraud situations. That leads us to our first polling question.

Christine

All right. Thank you, Laura.

Laura Redmond

Yeah.

Christine

Just launched the first poll question, and it will stay up for about a minute. This one's asking has your business, or a client's business, or a friend's business, I mean, basically do you know anyone who has been a victim of fraud? All right, thank you everybody for voting on poll question number one. We got 92% of you voted in, and we keep this open for a couple more seconds here. All right, we're closing down poll question one in three, two, and one. And it looks like, let me share the results here real quick, 39% said, "No, but I know those who have been victims of fraud," 27% said, "Yes, we lost money," 18% said, "Yes, it was attempted, but we were protected and did not lose money," and 16% said, "No, because we have these fraud prevention guards in place."

Laura Redmond

Nice. Okay, thank you Christine. So, there are a couple reports I want to show you, and just talk about some of the highlights. This first report was released last year by the AFP, Association of Financial Professionals. It's called the Payments Fraud and Control Survey Report, and it covers fraud related to payments. Then this one is the Association of Certified Fraud Examiners, and they released the 2020 edition of their Report to the Nation a few months ago, so it's a great... It's a global study. It's a great study on occupational fraud and abuse. Occupational fraud is when fraud is committed by individuals against the organizations that they work for, and it's among the costliest forms of financial crime in existence.

There are more than 3.3 billion people in the global workforce, and nearly all of them have access to or control over some portion of their employer's cash or assets, and the vast majority of those three billion people will never abuse the trust placed in them by their employers, but the small percentage who do can cause quite a bit of damage, so anyway, here are some highlights from those two reports.

One thing to note is that eight in 10 organizations were victims of attempted or actual payment fraud attacks in 2019, and I think in a few months, we'll get the newer numbers out. Of course 2020 was a COVID year. It'll be interesting to see if that had any effect, but these numbers are somewhat similar over the past many years, so 81% is quite a number. It's the second highest percentage in the past decade. It has increased since a low of 60% in 2013, but has been gradually increasing since then. Experts say that too few institutions are taking steps to avoid fraud, and so lots of organizations are only doing it once they become a victim.

Then there is just as much or more fraud in large organizations. However, small businesses seem to feel the impact more than larger entities. Attacks on smaller organizations increased 10% last year. Attacks on large, well-known companies may make the most headlines, but smaller businesses are vulnerable, and they aren't as likely to have sophisticated or extensive internal controls.

Now, looking at occupational fraud, fraud committed from inside the organization, the median loss per case, across all business sizes, is 125,000, but that median amount is greater in small businesses. It's 150,000. So billing fraud is two times higher in small businesses. Payroll fraud is two times higher in small businesses. Check tampering is four times higher in small businesses. Occupational fraud typically lasts about 14 months before it is detected.

Now, check fraud topped the list. Of the payment fraud, of the payment methods, check fraud topped the list as the most frequently subjected to fraud attacks. This is from 2019 in the 2020 report. 74% of organizations experienced check fraud. That's 3/4 of businesses, and while checks are increasingly seen as outdated methods of payment, many B2B payments are still made by paper checks, 42%, which is up from 70% in 2018.

Common check fraud techniques include photocopying valid checks to deposit it multiple times, or creating fraudulent checks with stolen bank account information, or soaking stolen checks in chemical washes to remove the toner, the ink, and replace it with a different payee name and amount. Check tampering is nearly four times more common at small companies. The next most common was wire fraud, and that's on the decline, down from 48% in 2017 down to 40% in 2019. That's the third consecutive year in which wire fraud activity declined, but it's still high.

Then comes credit card fraud at 34%, and well, what does credit card fraud look like? Fraudsters use card skimmers. That's when you insert your card, the information goes to someone else other than the gas station or restaurant that you think you're paying, so if you are not sure about the metal slot that you're... You know at the gas station, the metal slot you're inserting it in, if it looks worn, or loose, or something, you may want to go in and go straight to the attendant or something.

Fraudsters also intercept mail, such as bank statements and new credit cards, and fraudsters access online purchasing. So when you're buying online, make sure the web store uses a secure checkout, make sure that you're on a secure private network, not at the public library, or café, or airport, or mobile device. I mean, sometimes we are, but just be aware that that's happening, that that can happen. And some fraudsters get a job working at a restaurant or a store, and when they take your credit card to pay for your mail or your goods, they copy your card info, so it's best if you can have the waiter or the clerk swipe the card in front of you and not take it out of your sight. Anyway, those are just some examples of common credit card fraud scenarios.

Then what happens, the next thing you know, once credit card fraud has occurred, you receive notification from your credit card financial institution. Many of you may have had this happen, and they'll say that unusual credit card activity has been detected, or maybe one of your employees notifies you that they don't recognize charges on their company credit card statement, or worse, nobody notices at all, and the fraudsters just get away with it. Anyway, credit card fraud there at 34%. Then after credit card fraud comes ACH payment fraud, which is on the rise, with wire fraud on the decline and ACH on the incline. This suggests fraudsters are paying attention to this payment method now.

Okay, so fraud sources. The number one, the majority of payment fraud attacks originated from business email compromise, BEC. That's email fraud. 61% of companies that experienced fraud in 2019 did so as a result of email fraud, and that was the first time, 2019, that email fraud topped the list. That's pretty concerning, how widespread that has become, because we all depend on email. How do they do it? Well, first they research the size, and type, and frequency of the payments you make, so train your staff to make sure this information is not shared. Then, they impersonate someone by sending an email from a lookalike domain. The recipient of the email thinks the message has come from a legitimate source, like a trusted vendor or an executive within your company, and the email requests or authorizes payment, and often has new or changed payment instructions, particularly where to send the payment, and payment is sent to an account as instructed, and that is an account that is controlled by the criminal.

Incorporating email fraud controls is challenging, and even if the fraud is detected, funds have often been moved already, so oftentimes, people are finding that when they've had this occur to them, they go to try to reverse the wire and it's too late. The fraudsters, as soon as they get your wire, will generally move it immediately again. The second most common source of payment fraud in 2019 came from individuals forging checks and stealing credit cards, and the third most common source of payment fraud identifies is third-party vendors. Here is our second polling question, Miss Christine.

Christine

Thank you so much, Laura. All right, so we have just launched poll question number two, and you should see that showing up on your screens now. We're going to keep this open for about a minute, and we have three more polling questions left for the remaining hour.

Laura Redmond

Yeah, so if you're an accounting firm, does your firm provide bill pay services for your clients, and if you're not an accounting firm, if you're a business, does your business pay vendor bills or have an accounting department with an accounts payable person or an accounts payable department, that pays your clients' bills, and if so, do you use bill.com? Do you do it manually? Do you use another automation? Do you not have any bills to pay?

Christine

Gosh, that sounds nice.

Laura Redmond

Yeah.

Christine

All right, we are closing down poll question two in three, two, and one. Back to you, Laura.

Laura Redmond

Thank you. There are lots of effective fraud controls that can be implemented quickly, and inexpensively to protect your company. Here, we're going to go over five ideas that you can implement today, or whenever you're ready. The first one is to establish clear fiscal policies and procedures. I know that sounds boring, but it is very important. You want to do this in writing, and you want to get them approved by the upper echelon in the organization. These need to be crystal clear, no confusion. They should be followed by all staff involved.

Then, using those policies and procedures, you'll create streamlined checklists based on your procedures. Those will be used by the person or each of the people who is performing the work, to ensure that everyone is following the procedures, so that no one is forgetting an important step, so that tasks are performed consistently, to reduce errors, save time, avoid fraud, and to perform the tasks on schedule at the right time. Checklists also act as a work log, so that the work can be tracked. That helps you look for and solve potential vulnerabilities in security and figure out exactly how you will handle every accounting task in your organization.

Let's look at an example. If the procedure is to validate a change of payment address request or change of payment instructions that you received from an existing vendor, based on what we know about the threat of fraud in this situation, your checklist may include steps like this. Validate the sender's email address, domain name, looking carefully for very minor changes. Identify a known contact phone number in your system, not the one in the new payment instructions, pick up the phone and call the vendor to validate the new payment information. Ask the vendor for the reason for the change, and be suspicious of the vendor is vague about that, and be wary of vendors who frequently change payment instructions. Then escalate any concerns if a payment seems suspicious. Those are several steps, and you don't have to do them on every bill you're processing, just from time to time, when your vendor gives a change of payment address or payment instructions. Once you have this policy in place, you can see why if people use these steps, they would be less likely to have some of the fraud situations that can arise.

Organizations with clear procedures are better able to educate and train their employees on these common fraud practices, and on the company's controls to guard against it. Training employees how to spot and prevent fraud is essential. I mean, just bringing up that checklist and having the discussion about it is essential. And training employees not to share information on social media related to their roles and responsibilities is another good idea. A lot of people are out on social media, especially like LinkedIn, which is a great place to... for social media for businesses, but lots of people give information that is very interesting to cybercriminals. They can kind of give away maybe too much about their position. Maybe they say they're the person approving bills.

Well, that might be information that a cybercriminal might want to know, so make sure that your employees who are in that role of making payments maybe don't share too much information on social media about their duties. And also make sure your company website doesn't show your internal structure or your organizational chart when it comes to those people responsible for guarding the company's funds. Also, don't publicize these procedures. Train your employees that these processes are not to be shared publicly.

Here is what a documented procedure might look like. It will have screenshots. It will give very clear information on exactly what to do. Imagine how many steps there are in all of the various procedures in an accounting department, and imagine how easy it would be to forget a single step if you didn't have a checklist. Documented procedures and checklists help the organization retain control and not be as much at the mercy of someone who knows how to do it all by memory.

Here's what a checklist might look like. It lists each step in order. It's the shorter-cut version of the longer procedure, so every time you go to do the work, it might be all in your head, and if you don't have the procedures in the checklist and you're the person that does this work, and it's all in your head, then the rest of the organization can kind of feel like they don't know how to step in if you're out sick, or they don't have much oversight over it, so if you have these procedures and these checklists, and you can switch them from one person to the other and separate duties, this all becomes a much better situation for fraud prevention.

A checklist with every step, the steps themselves might also have a link to the full-blown procedure guide, so that as each person in the accounting department is doing this work, they're not having to open the big procedure guide and read it every time, because then work will slow down a lot. The procedure guide is there if they're new, or if they're covering for someone else and they don't know how to do this, they've got the full procedure, it is there, it's clear to everyone how you're supposed to be doing things, so if someone's not doing it right, then they're out of line there.

But the checklist is the shorter-cut version, so that when you do go to do this work, every time, you should use that checklist, and each of these steps could have a link to a part of the procedure guide. If someone does get unsure about one part of the checklist, then they could go jump in and see what screenshots or what the procedure guide says about it. That's really helpful when someone forgets how something should be done, or you're training a new employee, or the person who normally does this work is out sick or on vacation. These checklists are really helpful.

You know, think of a pilot. They have to follow a checklist before takeoff. And I'm sure they've done these steps many, many times. I'm sure they know them by heart, but if I'm a passenger on that plane, I want the pilot to use the checklist, so imagine the fraud implications of a simple accounting mistake. We use these checklists in our firm, and we also allow our clients who are doing their own accounting to use them, and we have them for everything, from entering bills, paying bills, voiding checks, reimbursing expense reports, processing company card purchases, onboarding new employees, validating time tracking, paid time off, setting up a new vendor, setting up when a vendor changes their payment instructions, reconciling bank accounts.

I'm calling these all out because I want to just give you an idea of how many pieces there are to the work that accounting departments do, and how many of them are potential openings for fraud. These tasks may all sound simple to someone who knows that work, but there are actually a ton of steps behind them, and they represent complex work that can cause major issues or fraud if they're not performed correctly. So, do you have your procedures documented in your organization, and if the answer to that is no, then can you think of an accounting process that leaves your business vulnerable? Start with one, maybe one that you can improve upon today. It's tedious work. I don't love sitting around writing up checklists and procedure guides, but it's important, so I don't want you to be overwhelmed with it. Just start with one.

Establishing these secure procedures is especially important as a foundation, for the next action item, which is to separate financial duties to ensure that no one single person controls all the parts of a financial transaction. Once your procedures are documented, then you'll go through every one of them and make sure that there are no areas controlled by one person. You see, creating the procedures, for one, it gets out how we're going to do things here, but two, it allows you to then have it all now out, to be able to go through it, and parse it up, and divide it, and delegate it, so split the procedure into smaller parts so you can delegate to different staff.

Let's look at an example. Let's take paying vendor bills. There are several parts to paying vendor bills, with several people involved. Each smaller part is its own process, its own checklist. Process one might be one person enters the bill transaction into the accounting system. Process two is a different person approves the bill, and you may actually have multiple approvers. Process three is a third person, different person, schedules the approved bill payments. Each of those three processes probably has its own checklist of step... definitely has its own checklist of steps for that person to do.

For example, the checklist for entering bills may have steps related to validating the bill document, or the supporting documentation, and verifying the remittance address matches what the system says, or is this fraud, where someone's remitted something and trying to get away with having a payment sent to another address? Selecting the proper chart of account class codes, and location codes, and all that stuff, assigning the proper approvers, and then the person who is paying the bills might have another checklist with totally different steps. They're going to be verifying whether funds are available. They're going to be reviewing the approver's notes, to see if there's any comments about it. They're going to be verifying the method of payment. They're going to be processing and scheduling the payment. That's just kind of to give you a visual on the steps and why they should be delegated between different people.

And there are other accounts payable processes related to paying vendors, you know, like voiding checks, and adding new vendors, and things like that. All of those need to be documented and delegated appropriately for separation of duties. And then there are countless other procedures, related to your entire finance department of course, so you'll review all of your procedures and split them up. Again, I don't want to overwhelm. I just want to give you the big picture, and then just start. However long it takes you, at least start doing that.

Here's a screenshot showing the permission granted if you're using bill.com. This is a screenshot when you invite a user, and you give them permission. This is a sample one given to an AP clerk. That's the person probably entering the bills. Separation of duties allows you to give different levels of access to different people, so that everyone doesn't have full access to the entire financial infrastructure. The person who enters bills wouldn't have authority to pay the bills and vice versa. If you're using accounting software like bill.com, then you probably have additional functionality like secure username and password to even log in, time date stamped audit trails to track who did what. You may have two-factor authentication. You're using encrypted, secure data channels. It probably automatically logs you out. In bill.com, you can create a setting to enforce the approval workflow, so bills have to be approved before they can be scheduled for payment. And time date stamps again on the approvals.

I'll just throw out some other examples of separation of duties. These are other places if you're looking for ideas. Again, not to overwhelm. Just trying to spark ideas, because all of you attending can be doing different things at different businesses. But some examples of separation of duties are require purchases, payroll, and disbursements to be authorized by a different person than the one actually making the payment. Separate those who work with money coming into the business from those employees who work with money going out of the business. One person wouldn't be, or shouldn't be, handling both money in and money out. And separate the handling of funds from the bookkeeping. The person who handles payments received from customers and deposits them at the bank might be a different person from the one who records those transactions on the books and reconciles the account.

Whoever does the purchasing may not be doing the bill pay, although the person who's doing the purchasing may be an approver on the bill pay. Ensure that the person authorized to write a check, and who has the key to the locked check stock if you're using paper checks, make sure that that person is different than the one who's signing the checks and vice versa. Have the person who's opening mail stamp all the checks as for deposit only before handing them over to the person responsible for depositing them. That way, they cannot be cashed. And periodically review your accounting system's audit log.

You can filter audit logs often by looking for voided and deleted transactions, to look for foul play. You can require supervisors to approve employees' timesheets and paid time off requests for payroll. Payroll's certainly an area to look in for fraud. If you're using paper paychecks, you could require that they be distributed by a person other than the one who authorizes or records payroll transactions. For wire requests, you could require that they be in writing, followed by verbal authorization. That's certainly one I would suggest using. I've seen that one be effective. If the organization's so small that you can't separate the duties, you can require an independent check of the work be done by perhaps a board member that you run reports for at the end of every month or something. And certainly, when accounting department employees take vacations, it's good to have others step in and be able to do their work.

I just want to throw out one thought here. The Hawthorne effect is an interesting phenomenon. Having proper controls in place has a wonderful domino effect in protecting the organization. When everyone knows that financial activity is being reviewed and verified, the approval process is, for whatever part of the accounting department you're using it on, an approval process is a very important component to the separation of duties, because it puts another set of eyes on things. For bill pay approval, it's even better if you have more than one approver. One approver could represent the person that ordered the goods or services saying, "Yeah, I ordered this. This is good to pay." And another approver may be the department manager in charge of the budget related to this expense. And you might have another approver, maybe the controller or CFO who's in charge of the available funds. You can also have reviewers and approvers on things like customer invoices, and employee expense reports, and timesheets, and the reconcile and close period. Lots of things to separate duties on, get more eyes on it. Okay, Christine. Here we are at our third one.

Christine

Fantastic. It is time for poll question number three. I'm launching that now, so you should see that showing up on your screens. We'll keep this open for about a minute. All right, if you're hearing my voice, we have launched poll question number three. This is poll question number three out of five, so we will have two more polling questions left for the remaining session. For those of you who are experiencing any technical issues with the polls, remember it always helps to exit out of full screen mode. Minimize the size of your screens and you should be able to submit your vote, but if you do experience any issues, please let me know in that questions box and I'll come by and help you out. 15 more seconds.

All right, thank you everybody for voting. We're closing down poll question three in three, two, and one, and let me share the results with everyone. Looks like 57% said, "Yes, no single person has control over all parts of finance," 31% said, "Yes, for the most part, but we can make improvements," and finally, 12% said, "No, I will pick one vulnerable process and split it between the staff."

Laura Redmond

Yes, very good. Okay, thanks Christine. Those first two ones were setting up the stories, and those first two were setting up a really strong accounting department. The rest of these, I think you're probably familiar with. I just want to call them out as very important actions that you can take to help prevent fraud. One of them of course is to send payments securely, which we all want to do. Remember the stat we saw earlier, 74% of organizations experienced check fraud in 2019, and with check fraud being the most common payment fraud. From the moment they're issued, check payments are the high risk for fraud for these reasons.

Dishonest employees may issue checks without proper authorization, fraudsters can easily alter checks or create counterfeit checks, and checks can contain bank routing and account numbers in plain sight for fraudsters to use, so it makes sense to make payments electronically instead of using paper checks. And apps like bill.com, and Expensify, and whatever other ones you're using out there, those are just the ones I know, but certainly whatever tools you're using, those make this super easy and secure. ePayment replaces the paper checks going out in the mail with electronic transfer of funds between the bank accounts. I know businesses today that require their vendors to accept ePayment, and they'll no longer send paper checks. Bill.com and other tools like it will send checks out that are protected with positive pay and the hidden bank account, but I know vendors actually that make all of... I know customers of ours, sorry, that make their vendors sign up for ePay, and they will only do the electronic pay, so whichever you want to do, but if you do need to send a paper check, then I definitely would use like a bill.com or a tool like that, that has positive pay.

If you don't know what positive pay is, positive pay requires that the information on the check that you issued matches the information on the check that's presented at the time of payment. If you're printing your own checks, you can contact your bank and ask them to activate positive pay for you. Then, every time you print checks and you send them out in the mail, you'll forward the details. You'll usually upload an Excel spreadsheet or something to your bank, and then before your bank will honor a check, it makes sure that it matches the data against what you had uploaded. So if the check is not found in your data or if the check information doesn't match, because it's been altered, then the bank notifies you and you can decline the payment.

In bill.com, you can track bill payment status from the time the payment is scheduled, to when it's processed, sent, and then cleared, and that information's very helpful to have at your fingerprints when you're... at your fingertips when you're researching a payment to a vendor. There are also options to click to void and cancel the payment or to void and reissue a check before it has been cashed. And if you sent a paper check, the scanned check images of the cleared check will be automatically scanned for you, so when you want to research a payment to a vendor, you can find all the way through the cleared check. That's really helpful.

With staff who turn in expense reports, so you're not paying back a vendor here, you're reimbursing your employee, you can reimburse them electronically, and they'll be notified when payment is scheduled and again when funds are available on their account. That screenshot I'm showing here is of Expensify, but there are many other apps like that, and you can pay wages when you're doing paychecks on payday using direct deposit. Lots of payroll companies now all have direct deposit. You can require that, so your staff will get notified. When they get paid, they can log in and see what their paycheck detail is, so ePayment, positive pay, hidden bank account information, all that protects your business.

The next tip is to monitor your bank activity, the bank statement. Those should always be reviewed by someone other than the bookkeeper. We tell our clients not to put that on paperless. We like actual... It's actually one of the few pieces of paper I do like to come in to the owners of the companies. Have an officer of the company review the statement monthly, just random spot check, ask questions. Hawthorne effect, remember? Just if people know you do that, that's information. If you do sign up for the paperless bank statements, then do remember to go grab them and look at them every so often.

You can get banking alerts. In addition to checking your balance and bank activity online, you can sign up for banking alerts so the bank will contact you by email or text message when certain activity occurs on your accounts, based on what you signed up for, such as a withdrawal exceeding a certain dollar amount, or a change of address. Then be really responsive when you get those fraud alerts. You could also investigate whether your bank offers ACH debit block. That controls... That blocks all ACH payments on your checking account except for the payments by the payees that you've specifically authorized as allowed. That's another cool functionality.

And then you have apps like QuickBooks Online and Expensify, that connect to your bank feed, and the process of matching the bank feed to the transactions entered allows you to validate your banking activity. You can do this frequently, more frequently than waiting until the end of the month reconciliation. So when the bank feed is not recognized, you can say, "Hmm, what is that? Why did that happen?" And you can take action on it immediately. That's important for credit card holders, to review their credit card activity regularly, because if you catch it in time, most financial institutions will deactivate the card, the compromised credit card, and reissue a new card, and credit you back for the fraudulent charges. Here's our next polling question.

Christine

All right, it is time for poll question number four. We're launching that now. Should be showing up on your screens, and we will keep this open for about a minute. We are right at the 30-second mark. Got about 30 seconds left everyone, on poll question number four. Remember, we have one more polling question left, so if you haven't gotten your vote in yet, make sure you do so. I'll keep this open-

Laura Redmond

And CAS-

Christine

... for another 15 seconds.

Laura Redmond

I was just going to say CAS, for those not familiar with it, that's when accounting firms act as the accounting department for their clients' businesses. Not tax or audit work.

Christine

All right, we're closing down poll question four in three, two, and one. Back to you, Laura.

Laura Redmond

Thanks, Christine. Okay, our last tip of the day is technology. Many of today's top tech tools for accountants are web-based, and they integrate with each other. When you're researching apps, check out the integration options. You probably want to start with a core general ledger, like QuickBooks Online, or NetSuite, or Sage, or Xero. Then, find tools that integrate with that general ledger and can help protect you from fraud. You've heard me call some out today, bill.com, Expensify, Gusto Payroll. There are thousands of others, literally thousands of others. Like, if you just go to QuickBooks Online's app center, there are hundreds and hundreds. I think there are over 1,000 just there, that work with QuickBooks Online, and then I'm sure the others, NetSuite, Sage, Xero all have their own ecosystem of other apps too, so there's lots to choose from.

And the integration of these apps protects your organization from fraud by allowing you to grant access to staff for only the apps they need, right? They don't necessarily need to be in the general ledger if all they do is sales. They can be in the CRM, right? So it keeps them out of secure areas, and it helps support the separation of duties. And the integration of apps automatically syncs data to and from the general ledger so you don't have to duplicate that effort, which means reduced labor, and it reduces the vulnerability to errors. If you have to duplicate enter things in both systems, you're more likely to have a booboo. And it also reduces the opportunity for fraud by manual entry.

The integration of apps also offers some special fraud protection functionality. As we've discussed to day, with ePayment, and positive pay, and bank fees, and so many more, like employees can log in to an online timesheet that has GPS tracking on their smartphone. That helps protect against buddy punching. There's lots of fraud preventative measures being built into these apps.

Today's web-based accounting solutions are also generally all bank-level secure. They're password protected. They're encrypted, so the data is entered, as it's entered, is encoded and masked as it travels out over the internet to the server, and this data's usually automatically backed up and always available to you, so these technology tools, these web-based cloud accounting solutions protect your organization from fraud, because they're considered more secure than, say, a filing cabinet with paper documents, sensitive paper documents in it, that can be stolen. I've read newspaper articles where criminals broke the window, got in, and took the entire file cabinet out of the building. A computer or a server with desktop programs and data files, that equipment can be just pulled out of the building and taken. There are cases of... Well, all sorts of things like that, but anyway, desktop programs can be backed up and guarded against data corruption and loss, and backup tapes stored in another location for safekeeping, but still, all of that can be automated now with technology, so take advantage of technology. That's this last tip.

Our firm builds accounting infrastructures based around Intuit's ecosystem, around QuickBooks Online, so we've researched into it, has a rigorous process to get listed on the App Store, so all of the apps that we use have passed that kind of security measure. And the cloud accounting infrastructure gives a business access from all different places, and that's really helpful. I want to throw out, we have one tip, and then our last polling question, we're done. So here's a tip, just for fun, bonus tip. If you're signing paper checks, or you're writing mileage on a title card for a car you're selling, or you're signing a legal document, or you're writing anything that you don't want to be washed and changed, this is a really cool pen to know about. It's about a dollar. When you write with it, it's permanent for the lifetime of the paper it's written on. It's pigment-based ink. It's not water-based or dye-based. There's no chemical that can remove it. It forms an indelible bond to the paper. The ink is absorbed in the paper's fibers, so when an individual tries to wash the information written on the check, the ink is in effect trapped, so it doesn't wash off, okay?

And our last thing, if you want to hear more about my firm's technology services, and our live checklists, or anything that we're doing, then just click yes on this one, and I'll get in touch with you after the webinar.

Christine

All right, that last poll question is up on your screen, so make sure you get your vote in in the next 60 seconds.

Laura Redmond

Thank you. And here, I'm just, while you're doing that poll, I'm just going to throw out, because we're at time now, I just want to throw out my email address and our website. If anyone is just looking for anymore information about what I was talking about today, I just wanted to throw that out. If you're struggling with technology, it's getting really sophisticated now, so if you just need help setting up, configuring apps, anything like that, we're here to help.

Christine

All right, perfect. Thank you, Laura, and with that, we are going to close down this last poll question in three, two, and one. And since we're due to time Laura, if you have any additional closing remarks, I will close out our session here.

Laura Redmond

I am done. I'm putting up that slide. I went onto the final thank you slide, but I'm going back in case people were answering polls and didn't get either my email address or our website. If you need any help, here we are. Otherwise, thank you so much, everyone, for attending, and have a great day.

Christine

Perfect. Well, thank you Laura, and thank you Diana for a great presentation and sharing your time and expertise with everyone today. I'm looking through the comments here. I'm seeing a lot of, "Thank you, thank you. This is an interesting webinar. Fantastic presentation. Thank you so much for an exciting presentation." So I think our attendees agree with me, so thank you Laura. And as a reminder for our attendees, we at CPA Academy will process your CPE credit within 24 hours. We're also going to send you a recording of this webinar and a copy of the handouts, and we also want to hear from you, so save all those great comments, and make sure you put those in the evaluation form for this webinar, which will be waiting for you in your inbox, and tell us how your experience was today. Thank you again to Laura and Diana, and thank you to bill.com for sponsoring today's webinar, and thank you to all of you for attending today, and sending in some great questions. Make sure you check out our calendar on cpaacademy.org, and we hope to see you again soon on future webinars. Have a great day, everyone.