Like large companies, small companies may become victims of computer hardware thefts that can expose company information and records. Small businesses are easy prey for hackers, too. The New York Times recently reported that hackers have broken into the phone networks of small companies, rerouting thousands of unauthorized calls to premium-rate overseas numbers, resulting in more than US$100,000 in charges for the impacted businesses.
When small businesses and startup companies experience a fraudulent event, they may be hit disproportionally harder than larger organizations and have more difficulty absorbing the losses. For those companies, a significant fraud incident can harm their reputation, cost innocent employees their jobs, cause personal investments to be lost, and make creditors wary of helping the victimized business in the future. Despite such threats, many small-business executives underestimate their company’s fraud risk.
Small firms are particularly unprepared for today’s sophisticated high-tech frauds. Internal auditors can help educate small-business owners and executives about such threats and conduct reviews to identify potential vulnerabilities.
Small and Vulnerable
Small companies are more likely to experience fraud than large firms. In the past two years, 29 percent of reported occupational fraud cases occurred at companies with fewer than 100 employees, according to the Association of Certified Fraud Examiners’ (ACFE’s) 2014 Report to the Nations. The median loss per fraud scheme for a small business is US$154,000, the ACFE reports. Small companies tend to be more susceptible to employee misconduct, lapses in technology oversight, unauthorized technology changes, a lack of internal controls, and inadequate segregation of duties.
Asset misappropriation is the most common fraud among all businesses, occurring in 85 percent of cases, although it typically is the least costly fraud. Corruption schemes make up one-third of small-business fraud cases, while financial statement fraud happens in 12 percent of such cases.
Many technology-related frauds spawn from information security incidents such as data breaches. The Ponemon Institute, an independent privacy and security research organization, reports that 55 percent of responding small businesses have had a breach, and 53 percent have had multiple breaches. But technology-related fraud can come from within, too. IT personnel were perpetrators of fraud in 3 percent of cases, the ACFE notes.
Internal auditors at small companies can help their organization reduce the risk of technology-related fraud. They should start with fraud basics like educating management about the signs of fraud and likely perpetrators, such as employees who are living beyond their means or experiencing financial difficulties.
From there, auditors should advise management about the many tangible and inexpensive actions even small businesses can take to address fraud, including implementing a code of conduct and anti-fraud policy. To detect wrongdoing sooner, executives should implement a whistleblower hotline that employees, customers, and vendors can access by phone and through the company’s intranet and extranet. According to the ACFE report, only 18 percent of small companies have fraud hotlines, compared with 68 percent of other businesses, yet hotlines reduce the median duration of fraud from 24 months to 12 months. Building fraud training into the internal audit plan can help educate employees about fraud red flags and empower them to speak up about possible incidents.
Beyond these basics, internal auditors at small firms need to address the likely technology enablers of fraud and review the effectiveness of their organization’s safeguards.
Watch out for the top causes of technology-related fraud. Many types of network attacks can put small companies at risk of fraud. For example, phishing emails are a significant threat for small businesses and startups because they may not have any rules or policies about accepting such emails, monitor for potential phishing messages, or know how to resolve incidents that may result from someone responding to their content or clicking on a link contained in a message.
Small businesses are particularly vulnerable to data breaches and hacking attacks, which typically target electronic records. Auditors should look for leading causes of breaches such as employee or contractor errors, procedural mistakes, and lost or stolen laptops, smartphones, and storage media.
Small companies also need to guard against identity theft. Identity thieves seek their business account information, employer identification numbers, bank account numbers, or even key employee Social Security numbers. Making matters worse, small businesses do not receive the same protections as consumers in identity-theft cases.
Plan regular and surprise audits in areas that may pose greater risk. Based on the company’s risk assessment, internal audit should conduct an occasional deeper-dive review of areas with potential risk from technology-related fraud.
- An intellectual property audit can assess the types of sensitive information the company retains — such as credit card and personally identifiable information — what it is used for, and where it resides on the organization’s computers and servers. Auditors can confirm whether the sensitive data is isolated or segregated, and determine whether encryption methods are used for protection.
- Internal audit should test information security controls for the company as well as for outsourced vendors. Such tests should confirm the use of strong passwords, regular password changes, and regular updates of antivirus and anti-spy software on computers and servers. Auditors should verify that the company uses a secure, encrypted connection such as Secure Sockets Layer to protect sensitive data while in transit across the Internet and that it uses secure wireless connections throughout the business. Also, they should check that the company has implemented privacy and security policies — including what can be downloaded and appropriate use of social media — and that the company has processes in place to monitor what is being said online. Moreover, internal audit should review Service Organization Controls reports regarding outside vendor services and confirm that the controls are appropriate for the organization.
- Other areas internal audit should review are financial operations, cash-handling processes, inventory, and related-party transactions.
A Matter of Survival
While the ACFE reports that companies frequently lose 5 percent of their revenues to fraud, that can be a high price to pay for a young company trying to generate income and get off the ground. Internal auditors at small companies need to help the business prevent and monitor for technology-related fraud or run the risk that it will become a victim.