Smaller operations are more susceptible to fraud than their larger peers, writes Adam Courtenay.
Large financial frauds don't just happen in big business - they're also happening in the suburbs. Small businesses are sustaining larger median fraud losses than their bigger brethren, according to the Association of Certified Fraud Examiners.
Globally, the median figure for fraud losses for small business - those with fewer than 100 employees - is $162,000. For those with more than 100 employees, the figure is about $110,000.
The 2012 Report to the Nations indicates small and medium enterprises are the most common victims of fraud at 31.8 per cent - the highest rate of any business category.
So what kinds of frauds are these? Fairfax Media asked Ernst & Young's partner in fraud investigation and dispute services, Rob Locke, to rate the top five frauds.
Locke says there's nothing new about the scams, except that technology has proved not to be an effective preventive measure.
"Big business can probably absorb losses, but if the ACFE fraud numbers are correct, frauds of this magnitude could wipe out a small business's annual profit," he says.
The top five fraud risks for small business are:
False invoicing Most popular with fraudsters is the payment to fictitious suppliers or making payments to valid suppliers but diverting them to the fraudster's own account.
Transferring money by EFT to one's own account This is on the increase in both small and large businesses as online banking technology is adopted.
Cheque fraud This mostly incorporates writing cheques to cash, or overwriting cheques in the fraudster's favour. The risk is heightened if the same person who writes cheques also completes bank reconciliations, which in small companies can often be the case.
Payroll fraud, especially if there is a poorly segregated or larger base of between 70 and 100 employees It's easier for payments to go undetected if not properly scrutinised by someone other than payroll, but with requisite knowledge of the payroll. Overpaying overtime is also a problem, especially in collusion with an employee.
Skimming/theft of cash This happens in businesses with less-formal receipting processes (the ability to receive cash without issuing a receipt), or where the receiver can manipulate the debtors' ledger and apply other receipts to the cash transaction that was misappropriated (also known as lapping).
Locke says that while technology has streamlined business processes, it is virtually useless to stop fraud without appropriate supervisory and segregation controls. "All technology has done is enable larger frauds to occur in shorter time frames, increasingly by lower-level employees," he says.
Recent frauds that made the headlines were similar in the total amounts stolen (in many cases millions of dollars), he says, being of a short duration (only a matter of months), and the fact the fraudster was a relatively junior- to mid-level employee.
Business owners may also wrongly believe technology such as online banking has inbuilt controls to mitigate fraud, Locke says.
"It is not uncommon to find that payee details have been changed after the approval process and before a payments file has been uploaded," he says. "It's about understanding how the technology works for you - and what controls you need to embed in your processes upon implementing any new technology.
"It's still only as good as the segregations and authorisations configured in it. It's about how much access and authority you provide."
Gary Gill, who runs KPMG Forensic, says small businesses tend to lack the same degree of internal controls as bigger businesses.
"You often find that the bookkeeper runs the whole show - then you find he or she can easily raise false invoices and have them paid," he says. "The owner needs to keep a close eye on money being paid out."
Gill also mentions the "curse" of business growth: as it grows, it becomes harder to keep an eye on the money. Without the segregation of duties - without there being two different people putting in two different passwords - it is just a recipe for a fraud, he says.
Locke adds: "Don't just pay for software and then set up a bookkeeper with unbridled access. Understand where the exposures might lie. Have a look at financial reports - pull out bank statements, skim over them and see where it's all going."
Locke recommends taking the personalities out of the controls process and look at what's possible in the cold light of day.
"Do not discriminate in terms of trust," he says. "More often than not it's a longer-standing employee or a business partner who rips you off."