Detecting and Preventing Employee Fraud: The Biggest Threat to AP Teams May Come from Within

There’s a lot to be worried about these days, and information security is at the top of the list. We are beset with phishing attacks, ransomware, identity theft, application hacks, and breaches of our confidential financial and business data. Amongst all of this, it comes as a shock that many cases of fraud originate inside companies—from employees; from colleagues that we know and trust. Employees that commit crimes of embezzlement and fraud don’t look and act like bad people. In fact, most people convicted of employee fraud have never previously committed a crime.


Surprising Facts About Employee Fraud

Here are some shocking stats about employee fraud:

  • Organizations lose 5% of revenues to fraud globally, or more than $4.5 trillion annually
  • 1 of 4 companies have been victims of occupational fraud
  • Seven out of 10 employee fraud cases came from organizations with fewer than 500 employees.
  • The loss is greater for small businesses. A business with an employee count of less than 100 typically loses around $200,000 while those with over 100 employees only report a smaller median loss of $104,000.
  • Employee fraud typically goes on for two years before it is detected.

As you can see, small and mid-market companies are not only at greater risk for employee fraud, their average losses are nearly double those of larger companies.  What is perhaps even more startling is that these incidents of fraud can go on undetected for years. Maybe you are already familiar with these statistics, but we often shy away from the hard truth. It’s a shock when people we know steal–the betrayal, the bitterness of being duped, is painful.

My intention here is not to cast doubt on employees. What is needed is more light, more transparency, and more confidence that if something does go wrong, we can figure out what happened. We need to trust our employees, and they need to trust us. Trust is central to making companies work. So, what’s to be done? Let’s take a note from former president Ronald Reagan. When he was negotiating with the Russians on nuclear arms reduction treaties he said, “Trust, but verify.”


Identifying Common Types of Employee Fraud

The first step embracing this philosophy is the easiest, and if you’ve gotten this far, you’ve already taken it: Take fraud risk seriously! Companies where the leadership team sets the tone that security is important will be better prepared and have better results.

More often than not, employee fraud starts out as a crime of opportunity rather than premeditation. Companies can reduce their risks by eliminating opportunities for employees to commit fraud. To do this, you need to understand your risks. When it comes to accounts payable, here are some common ways employees commit fraud, theft, and embezzlement:

  • Skimming: sales, receivables, refunds and others
  • Billing Schemes: shell companies, personal purchases
  • Check tampering: forged makers, forged endorsements, altered payees, authorized makers

There are other ways frauds are committed and there are likely other concerns that are specific to your operation. Some industries have more exposure than others. The size of your organization can also make a difference in your risk profile. This is precisely why you need to make a list of your company’s risks and monitor them on a continuous basis.


Determining Gaps in the Payment Process to Avoid Fraud Risks

Once you have determined your business’ fraud risks, you can then proceed to identify gaps between your expectations of your payment process and what you can actually verify. Here are some questions to help quantify those gaps:

  1. Who has access to your accounting systems?
  2. How is access granted?
  3. Is there segregation of duties between team members performing different tasks in the AP process?
  4. How do employees access sensitive systems? Does access require authentication? What kind of authentication?
  5. Is there a sufficient audit trail to enable a forensic review if something goes wrong? Are those audit trails secured from being tampered with?


How to Prevent Employee Fraud

Whatever the specific risks you’ve identified and the gaps in your current operations, there are a few important, preventative controls that every business would likely benefit from. Here are three ways you can mitigate employee fraud:

Access controls

  • Limit access to accounting systems based upon these principles:
    • Role: only people performing previously identified job functions should be granted access
    • Need-to-know: regardless of role, employees must have a need-to-know in order to be granted access
    • Least privileges: for those employees granted access, they should only be granted the amount of privileges required to do their job
  • Require strong authentication to sensitive systems. Use unique usernames with strong passwords and enforce two-factor authentication.     

Segregation of duties controls

  • Maintain segregation of duties and responsibilities between employees. Whenever possible, Accounting Managers should not also be Payment Approvers, Invoice Approvers should not also be Account Managers, and so on.

Audit logging controls

  • Finally, maintain an audit trail of sensitive activities, and make sure the audit trail itself can’t be altered.


Final Thoughts

Implementing an AP Automation solution like MineralTree is an efficient and cost-effective way to implement quality security controls on your Accounts Payable process and prevent fraud. Just remember, that even when you’ve implemented quality security controls, your work is not done. Security is a perpetual process. You need to stay active and engaged. Review your risk assessment and adjust your controls as circumstances change. And most importantly, monitor and review your audit logs. Fraud incidents often go on for years without detection. Take the time now and then to really look at your logs. Trust, but verify.

Of course, companies benefit by having a reliable, transparent, and verifiable process. But employees benefit too. A sound AP process with proper security controls protects employees from bad actors that would not only steal from the company, but potentially implicate well-meaning employees in bad actions because of the lack of ability to verify what happened. Trust, but verify works to everyone’s benefit.


Mitigate Fraud Risk Whitepaper CTA


Kevin Eberman, Senior Director of Information Security, MineralTree

Kevin Eberman has proven ability and an enduring enthusiasm for Information Security. A Certified Information Systems Security Professional (CISSP), Kevin has more than 20 years of experience managing Information Security, Operations, and IT groups at startups and large technology companies. He has extensive technical knowledge of security, software development, cloud operations, networking, and high-availability solutions. As MineralTree’s Senior Director of Information Security, Kevin has shepherded the entire organization through a number of security certifications, including SOC 1, SOC 2, and PCI-DSS Level 1 Service Provider. As technology continues to evolve in new and exciting ways, Kevin and his team will continue playing a pivotal part in keeping MineralTree and its customers’ data secure. Follow Kevin on Twitter @Manager_of_it.