Running a small business presents many unique challenges, especially when assessing and mitigating risk. While risk affects all aspects of businesses, small businesses are particularly affected by both internal and external fraud.
According to the Association of Certified Fraud Examiners’ 2020 Report to the Nations, small companies with under 100 employees represented 26% of fraud cases and experienced the highest median loss of $150,000 compared to other business types (25). Within these small businesses, the most common financial fraud schemes are related to billing, check and payment tampering, and expense reimbursements (26).
Another factor affecting fraud prevalence is the business’s industry. Within the manufacturing industry, 23% of reported fraud cases involved billing and 20% involved expense reimbursements (30). As such, these are potential areas of fraud risk for a small business within the brewing industry. Effective internal control processes are critical to address these risks.
Internal controls can be either preventative or detective. Preventative controls attempt to address issues before they happen while detective controls are meant to catch issues after they happen. There are five main elements to structuring an internal control system: the control environment, risk assessment, control activities, monitoring, and information and communication.
#1: Control Environment
Establishing the business’s control environment is an important first step as all other aspects of internal control depend on it in some way. The control environment is comprised of management’s attitude towards internal control (also referred to as “tone at the top”), the organization’s ethical values, governance/organizational structure, and the level of enforcement of key policies and procedures. Since internal controls are processes participated in by all members of the organization, the company’s culture and attitudes towards controls are a major factor in how effective those controls are.
The control environment can be both preventative and detective as the company’s ethical culture and policies should discourage fraud and members of the organization should be encouraged and empowered to report any issues they might come across.
Some examples of internal controls related to the control environment are having an established organizational code of ethics, ensuring good hiring practices, and outlining the organization’s reporting structure.
Based on the 2020 Report to the Nations, only 48% of small businesses under 100 employees currently have a code of conduct in place, despite codes of conduct reducing median fraud loss by 51% and fraud duration by 50% (33-35).
#2: Risk Assessment
The second component of internal controls is a risk assessment. A risk assessment identifies the risks that affect the business internally and externally. Once risks have been identified, deciding which risks are the highest impact and/or most frequent is an important step to allocating control resources. The business should also decide how much risk it is willing to tolerate. Again, the ACFE’s Report to the Nations identified billing, expense reimbursements, and check payment-tampering as the most prominent threats. As such, a small business might want to invest more resources in protecting itself from these risks specifically. Internal controls related to these risks are discussed in the proceeding sections.
#3: Control Activities
Once risks for the business have been identified, there should be control activities in place at all levels within the company that help manage those risks. Some non-financial controls could be:
- inventory counts
- sending out customer satisfaction surveys,
- posting safety procedures,
- doing periodic sanitation inspections, and
- having performance reviews for employees.
These can provide the company better data for decision making and product investment, help contribute to good hiring/HR practices, and ensure compliance with regulatory bodies. Some key financial control activities are
- physical controls,
- reconciliations, and
- authorization procedures.
Physical Controls help protect a business’s physical assets. This can include items like inventory, equipment, cash, etc.
Within the brewing industry, maintaining proper inventory levels is important to serve customers. One example of a physical control would be to invest in a security system for the warehouse or cellar to protect from product theft or misappropriation. If the brewery handles cash, the business could store most of its cash in a password protected safe and limit access.
Reconciliations help identify issues as they arise to prevent misstatements and fraud. Reconciliations match financial information to a source document which points out errors and improves accuracy.
For example, performing a monthly bank reconciliation helps keep track of charges that the business’s accounting function has recorded versus what the bank has recorded. This can catch unauthorized withdrawals or transactions that went through the bank, but not through the accounting records and vice versa. Reconciliations can help address check and payment tampering, which accounts for 22% of small business fraud schemes (26).
Authorization helps enforce company policies and procedures regarding transactions and activities by adding a layer of approval.
Small businesses are prone to expense reimbursement fraud and one way to reduce this risk is to require authorization signatures. When an expense is incurred by an employee, there should be receipts or other documentation associated with it. Then, when the employee goes to file for a reimbursement, having a policy which requires a manager’s authorizing signature provides a layer of protection. That way, the manager would review the expense and its documentation before authorizing it and ensure it is necessary, reasonable, and qualifies for reimbursement. This prevents an employee from overstating their expenses or requesting reimbursement for non-business-related expenses.
Authorization can also apply to warehousing and transportation risks. For example, before inventory is moved, an authorizing signature could be needed to release inventory to the shipping trucks to prevent theft of assets during the shipping process.
Separation of Duties makes overriding existing internal controls much more difficult because more than one person is required to complete a task. Authorization, record keeping, reconciliation, and physical custody tasks should be assigned to different individuals.
For example, say a brewery needs to purchase yeast from a supplier. The individual who fills out the purchase order should be separate from the person who approves and signs off on the order. The employee who books the payment into the accounting system should also be different from the person who reconciles the entries at the end of the month. Not only can this help catch errors, but it also prevents an individual from having control over all the financial records in the business which puts the business at a higher risk for fraud.
While staffing may be an issue within small businesses, cross-training employees allows separation of duties to still be accomplished as multiple people are qualified to perform each distinct function.
Some examples of monitoring activities are management review and third-party reviews. Management reviews capitalize on managers’ business knowledge and experience to compare expectations to what happened. Managers can review journal entries, reconciliations, and budgets to confirm amounts and documentation. This keeps management aware of what is going on financially in the organization and adds another set of eyes to any billing, cash, and purchasing activities. Third party reviews are performed by an independent auditor, whether located within the organization (internal audit) or through an external auditor. These third-party reviews provide an extra layer of assurance that financial information is correct and accurate. A small business can outsource internal audit work to a CPA firm or can establish an internal audit department.
Having an internal audit function and management review controls in the business can lead to a 50% reduction in median fraud loss and fraud duration (33/34). As of 2020, only 31% of small businesses under 100 employees had an internal audit department and only 35% had management review controls in place. External audit is the most popular anti-fraud control among small businesses, with 56% of companies under 100 employees having an external audit performed on their financial statements (35).
#5: Information and Communication
Communicating correct and accurate information is key to running a successful business. Information should be communicated up the chain of command just as much as it should be communicated from the top down. Having established reporting lines and generally communicating within the business helps with internal controls. Employees at all levels should know what controls they need to participate in and report to their supervisors about those controls. Good communication and relationships between management and employees can also encourage whistleblowers to come forward.
Based on the ACFE Report to the Nations, 47% of small business fraud is detected by tip (21). Across all businesses, whistleblowers reported to their direct supervisor 28% of the time (23). Establishing communication channels, like a fraud-hotline can reduce median loss by 49% and duration of fraud by 33% (33/34). Implementing a fraud training program increases the likelihood that tips will be submitted (21). One of a business’s biggest resources is its people, and they can serve as a strong anti-fraud control.
A fraudster may have a clean record that does not show up on any background check. However, there is always a story and reason behind why seemingly good employees or managers may commit fraudulent acts. The Association of Certified Fraud Examiners explains this using the fraud triangle. For fraud to occur, there needs to be opportunity, pressure, and rationalization by the fraudster. A lack of internal controls over financial information can present opportunity. Pressure can come from any aspect of the fraudster’s life including family, financial, and work performance pressures. A fraudster may rationalize his or her behavior in many ways to tell him/herself that it was acceptable or okay. Perpetrators of fraud can cause more damage the more senior they are in the organization and the more power they have. Some indicators fraudsters show at work are unusually close relationships with vendors or customers, unwillingness to share duties, refusal to take vacations, and defensiveness. In their personal life they may be living beyond their means, experiencing financial difficulties, or be having family problems (53).
Small businesses are more likely to be victims of fraud due to a lack of internal controls whereas larger organizations are more likely to have their controls overridden (36). By creating strong tone at the top through a code of ethics/conduct and good communication, assessing risks pertinent to the industry, implementing control and monitoring activities such as those discussed in this article, and knowing the red flags of a fraudster, a business owner can better protect his or her business from fraud.
“ACFE Report to the Nations: 2020 Global Fraud Study.” ACFE. Association of Certified Fraud Examins. Accessed October 21, 2021. https://www.acfe.com/report-to-the-nations/2020/.
“Executive Summary | Internal Control-Integrated Framework.” Committee of Sponsoring Organizations, 2013. https://na.theiia.org/standards-guidance/topics/Documents/Executive_Summary.pdf.
“The Fraud Triangle: Association of Certified Fraud Examiners.” The Fraud Triangle | Association of Certified Fraud Examiners. Accessed October 21, 2021. https://www.acfe.com/fraud-triangle.aspx.
Student at University of Kentucky
Intern at Peer House