Kick-starting fraud risk management at small businesses
Small businesses are significantly more likely than their larger counterparts to neglect instituting basic anti-fraud controls that can save them from costly losses, as inferred by responses to our India Fraud Survey, Edition II.
One of the common perceptions that small businesses tend to carry is that fraud risk management is a costly, time consuming activity, and hence best approached when the business reaches a certain size. This impression is also bolstered by the fact that the Companies Act, 2013 exempts small businesses from certain clauses pertaining to fraud risk management. However, in our experience, small businesses tend to lose more to fraud—monetarily (as a proportion of business revenues) as well as reputation wise—than large businesses. This makes it imperative for them to focus on building effective internal controls.
Small organizations can consider instituting the following measures as a start to their fraud risk management journey:
• Enhancing the scope of internal audit – Internal audits can help review accounting processes to validate financial information, discover any errors, test internal controls, identify any gaps, and limit the legal and tax related damages that the business may otherwise suffer.
• Management certification of financial statements – This indicates that the business understands the observations made by the audit team (internal and external) pertaining to the organization’s financial position, fraud risks, and any other concerns. It also signals a willingness on the part of the organization to address any concerns in the future.
• Division of responsibilities – There should not be abundant concentration of job responsibilities in key functions. For example, in the Purchase department, the requestor, negotiator, and approver should be different people. Also, there should be multiple signatories to authorize transactions above a certain threshold. In our experience, some of the functions susceptible to fraud include sales, procurement, cash and bank operations, and employee reimbursement claims process. These can be a starting point for small and medium businesses to initiate division of responsibilities.
• Undertaking formal fraud risk assessment of key processes – Whether conducted by third party organizations or undertaken internally, fraud risk assessments of key processes and functions within an organization can help understand the level of fraud vulnerabilities better. If conducted internally, it should be done by personnel having in-depth knowledge of the business and market, and knowledge and experience of fraud. Some of the suggested processes that should be regularly reviewed include Sale (order to cash) process, Procurement (procure to pay) process, Inventory management, Financial reporting and closing (record to report) process, cash and bank operations, and employee expense reimbursement claims process.
• Defining a code of conduct – A code of conduct which is tailored to the needs of the organisation and adequately covers anti-fraud clauses can help set the tone among employees/third parties of ethical and unethical practices and penalties associated with undesirable behaviour.
• A channel for employees/third parties to report suspicions – While most small businesses tend to expect employees to report suspicious activity to their managers, it is also important to provide an independent channel, such as an unmanned complaint box, dedicated email ID, or installing a toll free number, that employees/third parties may use to report suspicious instances without fearing retaliation.
The aforementioned measure are neither expensive nor very time consuming compared to some of the traditional processes such as Finance, Operations and Sales that the business may invest in, as well as compared to the time and effort spent in fraud detection and response.
In our experience, small businesses with robust corporate governance and fraud risk management practices tend to attract investment opportunities and advice that can help them grow. You can read more about instituting fraud risk management measures here.
If you have any comments or would like to share your views, please write to us at email@example.com or on Twitter by following @deloitteindia.
Authored by Rajat Vig, Partner, Deloitte India