Managing Risk Part 2: Reducing Fraud with Access Controls

6/13/2023 - By Michael Maricelli, CIA, AAP

In Part 1 of Managing Risk, we spoke about fraud cases rising every year and the importance of managing and preventing that risk. But how exactly do you do that? What kind of access controls should you implement to secure your business?

There are four types of security you can enact now.

Physical Security

Physical access controls are designed to protect an organization from unauthorized access and should limit access to only those persons authorized by management. Authorization may be explicit, such as a door lock for which the company has designated who receives a key, or implicit, such as a job description that implies a need to access sensitive material. Common physical access controls include:

Video cameras
Electronic logging
Biometric door locks
Security guards

Logical Security

Logical access is the ability to interact with computer resources granted using identification, authentication and authorization. These controls are the primary means used to manage and protect information assets.

Segregation of Duties

Segregation of Duties (SoD) is an important tool in which fraudulent activity can be discouraged and prevented. SoD avoids the possibility that a single person could be responsible for diverse and critical functions in such a way that errors or misappropriations could occur and not be detected in a timely manner and in the normal course of business processes. Duties that should be segregated include:

Custody of assets
Authorization
Recording transactions

When duties are segregated, access to resources is limited and potential damage from the actions of any one person is reduced.

Human Resources Security

Human Resources departments play an important role in the prevention of occupation fraud. They are among the first to meet potential employees and the last to meet with exiting employees. Additionally, they receive notice when employees transfer within the organization from one department to another. As such, this places Human Resources in a unique position to implement controls to prevent fraudulent activity.

One important control to prevent fraud is background checks. All candidates for employment should be subject to background verification checks. The ACFE’s “Occupational Fraud 2022: A Report to the Nations” study noted 43% of victim organizations did not run a background check on the perpetrator prior to hiring. Of equal concern was that 21% of the background checks that were run revealed previous red flags that went unheeded.

Another important activity utilized by Human Resources is the monitoring of access rights to corporate assets, both physical and logical. The access rights of all employees should be approved by Human Resources prior to granting access and should be removed upon termination of employment. Additionally, physical and logical access should be reviewed when employees transfer within the organization from one department to another. Access rights needed in one department may not be required in the new department.

Here are some other effective steps you can take to reduce fraud risk:

Segregate financial duties. No single employee should handle all the steps of any transaction or all the activity in any account.
Make purchases only with prenumbered purchase orders. Also, check receiving reports against invoices before payment is made.
Prepare financial statements monthly and compare them against general ledger entries, bank statements, loan schedules and other supporting documents.
Compare cash receipts to accounts receivable every month. Be alert for unusual credit memos on receivables which could mask a diversion of funds.
Open every bank statement yourself instead of delegating this to an employee.
Monitor company credit card statements carefully to spot possible personal charges.
Review the employee payroll list regularly, looking for duplicate or missing Social Security numbers, addresses or phone numbers. These could indicate a phantom employee or overlapping payments to an employee.
Maintain personnel records independently of payroll and timekeeping functions. The payroll bank account should be reconciled by an employee who is not involved in preparing, authorizing or distributing paychecks or automatic deposits.
Periodically compare payroll with personnel records to make sure terminated employees are removed.
Always compare reported payroll tax withholdings to deposited withholdings.
Be inquisitive and unpredictable. For example, ask about expenditures you’ve never asked about before, and focus on something different every time you review a financial statement.

This is not a complete list of all the internal controls you should have in place, and even sophisticated controls may not stop a truly determined fraudster. But extra vigilance and a systematic approach to basic internal controls can make your company less vulnerable.

Questions?

Contact our IT team if you need to set up security controls to manage risk and prevent fraud now.

About the Author | Michael Maricelli, CIA, AAP

Michael is a senior consultant in the Financial Institutions Advisory Group at Saltmarsh, Cleaveland & Gund. Michael specializes in providing information security assessments, vulnerability and penetration testing, third-party risk management reviews, risk-based Nacha compliance audits and digital banking reviews. Michael has over 14 years of financial institution experience and has held positions in mortgage lending and internal audit. Before joining Saltmarsh, Michael was a director of payments risk and compliance at a regional payments association where he provided audit and risk assessment services for a variety of payment channels (ACH, wire transfer, remote deposit capture).