Small businesses can be just as much at risk for fraud as big businesses. So, as the small-business owner, it's important to conduct fraud risk assessments on a regular basis.
The two basic purposes of fraud risk analysis are to determine: 1) who might commit fraud (not just inside the company but outside), and 2) where the fraud might possibly occur in the company.
The people designing the risk assessment should pretend they're the fraudster, to come up with ways to detect fraud early on. They must try to think like a crook to understand how a fraudster might cover up the crime or evade detection.
Building Your Team
The first thing you should do, though, is assemble a team for developing a protective strategy against fraud. Members of the team should represent various types of personnel—how extensive this is will depend on the size of the small business, but generally, you should consider including these employees:
- Management personnel
- Someone in accounting or finance
- Additional personnel from operations and legal
- Other personnel who might be able to add a unique perspective
Identifying Fraud Risks
Once the team is assembled, it should identify all the fraud risks that could, even in the slightest sense, occur to the company.
Then it should determine what the odds are for each type of fraud ever happening. How significant is each particular risk? Which departments stand to be affected by each identified risk? Finally, what kind of actions should be taken to manage the identified risks?
The team should burn a lot of brain cells over this. The members should have in-depth discussions about all the possibilities, motivations and opportunities that can lead to fraudulent behavior.
- Why would someone inside the business want to commit fraud?
- Why would someone outside want to do it?
- Who might do it?
- How could they do it? What are the common cyber scams? How about offline scams?
- How would they try to conceal it?
- Who in the company would be particularly skilled at concealing fraud?
- Whom would it impact?
- What are our weaknesses?
The list of questions goes on and on.
In a small business, the fraudster could be a decision maker, someone high up. This must be considered in the team’s brainstorming.
Types of Fraud
What are specific types of fraud? Here are some examples:
- Misappropriation of assets (including by ex-employees and current vendors)
- Unauthorized expenditures
- Falsifying expenditure reports
- Falsifying revenue reports
Does your small business have an efficient information technology department? The IT department’s job is to make sure that all electronic communications run without any glitches. Communications, of course, include the processing of financial data and the storage of highly sensitive information. The IT department can be the company’s glue, holding those elements together.
If your business has an inept or rudimentary IT department, you could be asking for trouble. A weak IT department can make it easier for someone to commit fraud.
One of the priorities of the fraud risk assessment team should be to evaluate your IT department. Fraudsters can infiltrate a small business by sending a phishing scam email that tricks an employee into opening an attachment which downloads a virus—infecting the company’s entire system. The IT team would be responsible for training employees in recognizing these malicious emails.
Another area your IT team would address is that of employees mixing personal online activities on their company-supplied smartphone which they also use for business—this can lead to data breaches.
The IT department has the potential to wield a lot of power in terms of fraud prevention. It's just one of the ways small businesses should take fraud risk assessment as seriously as any large corporation.
Robert Siciliano is the author of four books, including The 99 Things You Wish You Knew Before Your Identity Was Stolen. He is also a corporate media consultant and speaker on personal security and identity theft. Find out more at www.RobertSiciliano.com.
Read more articles on cyber security.