Perhaps one of the most powerful tools available to management to mitigate the risks of fraud and theft is the computer. Ironically, the computer is also the source of a vast amount of fraud and theft that occurs in business today. Mobile computing has made businesses even more vulnerable.
Here are a 10 steps CPA business owners can take to implement control procedures around automation to help mitigate fraud and theft risks.
- Require the use of unique user identifications and strong passwords for everyone, no exceptions. Never use administrative level user identifications and passwords to enter transactions. These are reserved for limited administrative tasks only. No exceptions. Strong passwords should be 10 characters to 15 characters, alpha numeric, at least one special character and may not be any word or jargon in any language. If it was easy, it would not be secure. Passwords are not to be shared with anyone, including technical staff! Never use a password at the office that you use for personal use and vice versa. Require PINs or swipe codes on all mobile devices. Enforce this policy through Active Directory or Lightweight Directory Access Protocol (LDAP), which is an Internet protocol that e-mail and other programs use to look up information from a server.
- Have an owner or senior manager receive all statements (bank, credit, brokerage, etc.) and initial off before forwarding to accounting for reconciliation. Owner or senior manager then reviews and approves reconciled statement. Automated tools on mobile devices can ease this process.
- Have auditor, owner or senior manager review audit trail reports periodically for transactions entered into the system for authority and correctness. Review date and time the transaction was entered for irregularities. Download and inspect audit logs from mobile devices. In some cases this can be done automatically. Inform employees that the audit trails on the devices will be inspected.
- Have owner manager review several detective reports periodically including credit memo report, inventory adjustment report, change of address, new customer or new vendor report and change of address reports for all of these. Consider restricting changes of these records from mobile devices. The convenience of entry of the information on a mobile device may lead to fraudulent acts by enabling easy changes that are not inspected.
- Create a list of pre-approved vendors annually and review any exceptions. Limit vendors that can be used from mobile devices. Set up payment systems from mobile devices to flow through a separately controlled account.
- Create a list of approved purchase prices and sales prices. Review exceptions. Minimize or control what can be purchased from mobile devices.
- Conduct physical inventory at least annually without numbers on hand on report! Mobile technology may ease routine inventory counts and I recommend this. However, consider checks and balances on inventory to prevent fraudulent activity.
- Have owners review regular period close and period end reports. Mobile dashboards can report exceptions daily. Alerting to mobile devices can report violations of thresholds to management for action.
- Clean and scrub databases, customers, vendors, employees annually. Control what is delivered to mobile devices and protect against shadow systems that keep unauthorized data on mobile devices. Consider draconian procedures like wiping devices periodically to enforce this.
- Keep accounting systems current and up to date. Routinely patch all mobile systems to protect against known issues.
By following the above 10 steps, CPAs can ensure that their systems are not only up-to-date, but that their businesses are mitigating risk of fraud.
|Rate this article 5 (excellent) to 1 (poor).
Send your responses here
Randolph P. Johnston, MCS, MCP, is executive vice president at K2 Enterprises. He is a nationally recognized educator, consultant and writer with over 30 years of experience in strategic technology planning, systems and network integration, accounting software selection, business development and management, disaster recovery and contingency planning and process engineering. Please note the product recommendations and advice as expressed in this article are solely the author’s and in no way reflect the views of the AICPA or CPA Insider™.