The Art of the Steal (14 page)

Another practice that should be carefully monitored is outsourcing. Businesses outsource so many things today, including accounts payable. How do you know the people you outsource to aren’t cheating you? One company outsourced its security detail; the guard firm assured the firm that it had checked out everyone. Well, they missed one guy. He had an arrest record for stalking. Fortunately, he didn’t stalk anyone in the company, but he did steal a bunch of laptop computers. So you’ve got to be careful, and I don’t believe in ever outsourcing accounts payable. You’re not saving a lot of money and you’re relinquishing control. You can outsource payroll, but not accounts payable.

YOU NEED MORE THAN BREADCRUMBS

A really basic thing to do is to create audit trails, but businesses have gotten away from this practice. Most companies create no records whatsoever. If you ask them, “Who authorized this change?” their answer is, “Gee, I don’t know.” Thieves aren’t going to suddenly have a moral awakening one day and turn themselves in. You need evidence of wrongdoing. That’s why audit trails were invented.

All access to master file records should be protected by a password and restricted by job function. Computer systems should then automatically create an audit trail of all changes made to those master records, including who made the change. A report of the changes should be printed and reviewed by someone independent of the employee who made the changes. This report is sometimes called an “access matrix.” Checking the access authority of each employee should be part of this review. Determine a standard “access profile” for each employee, and restrict the master file records to these employees. And immediately investigate any unusual or suspicious activity. Most computer systems are designed with audit trail capabilities, but companies rarely use them.

In one recent case, an accounts payable supervisor at a major manufacturer felt his mortgage was a little too large for his comfort. So he did a touch of editing in the master file that contained the company’s suppliers. Since he had no oversight, he could pretty much do as he pleased. He changed one of the vendor names to the name of his mortgage company, and edited in a reference to his loan number. Instead of his company sending a check to the supplier, it sent a sizable principal payment to the employee’s mortgage holder. What tripped him up was that mortgage companies generally won’t accept a large principal payment without specific written instructions. Since the guy wasn’t able to intercept the payment to include a written note, the mortgage company returned the check to the manufacturer and the fraud was uncovered. It would have been caught with an audit trail.

CHECKS AND BALANCES

It’s essential that you separate the accounts receivable and banking functions. Receipts and deposits must balance each day, and different people should perform these functions. Different groups should also process payments, disburse checks, and do bank reconciliations. If you don’t split up these duties, then a dishonest employee can issue a check to himself, or to a co-conspirator, remove the check from the bank statement, and alter the accounting records to hide the embezzlement.

No one person, no matter how much you trust him, should ever be in complete control of a transaction. I remember when bank loans, up to a certain limit, were issued on the say-so of one officer. Often, that officer could make loans of as much as one hundred thousand dollars. Say you’re a bank officer and I’m your college buddy. I come in and beg you that I’m desperate and need this loan. You say, “Okay, but I want something for myself.” So I give you a ten-thousand-dollar kickback and probably default on the loan. There’s a reason a committee now approves loans in banks. The same thing must happen in all businesses with all transactions.

I’ve spoken about how vulnerable companies are through their mailroom. It goes without saying that mailroom personnel must have absolutely clean backgrounds. And you need to put in internal safeguards to discourage theft of incoming or outgoing checks. So many companies that have been the victim of an altered payee-check scam have traced the source of the original checks to their own mailroom.

One important step is to replace your company name and address on disbursement envelopes with a simple post office box number. This box should be solely for returned checks. And you’ve got to segregate the processing of returned checks. Any checks that get returned should not be returned to the area that originally processed them. A person independent of the payment function should handle these and investigate why they were returned.

CHECK CHECKING

Company checks should be made secure by using some of the techniques I mentioned in the chapter on checks. All checks and cash equivalents, whether they’re preprinted or entirely blank, should be stored in a locked facility and only those employees who truly need access should have it. A physical inventory should be conducted at least once a quarter to account for every check. Zero amount checks and checks that have been canceled or voided should immediately be written or stamped “void” or “canceled” so they’re unusable. All canceled or voided checks that have a signature on them should have the signature removed. And someone other than the accounts payable processor who handled the original transaction should be responsible for accounting for all voided or canceled checks. Too often, checks that are to be canceled or voided are left lying in someone’s in-box, even though they’re still “live” checks. Employees aren’t dumb. They know that a replacement check was issued for the canceled or voided check, and so the canceled check won’t be missed if they take it.

An accounts payable department of a city office out West had the bad habit of throwing away any checks that had been crumpled by the printer. The checks weren’t voided. A member of the cleaning crew had his own habit, which was to rescue those checks from the trash, forge signatures, and cash them for increasingly large sums of money. The thefts weren’t discovered until the account was overdrawn and more than $1 million was gone. The city, it was discovered, hadn’t reconciled its accounts in more than a year.

All obsolete check stock should be shredded as soon as possible. Often, when bank accounts are closed or when highly secure check stock replaces old checks, boxes of the old checks are left unattended outside the locked cabinet where the new checks are stored. Some companies even store old checks on a pallet in a warehouse. Their rationale is that there’s no need to worry about checks drawn on an account that has been closed. Checks are checks. Even though an account has been closed, someone could steal the old checks and pass them on to an unsuspecting third party. And guess what? The company would be considered negligent and be held responsible for the loss.

I tell every company I visit, make sure you empty the laser printer tray of checks and return them to the locked storage area after every check run. All too frequently, unused checks from the last check run are left in the printer tray. Anyone could find them and use them. And change keys or entry codes periodically to prevent unauthorized access to all of your secure areas.

There was an apparel maker in the Northwest that lost a lot of money from forged company checks that an employee had stolen. The company was puzzled. It thought it had really tight controls. An audit firm was brought in and traced the problem to a handful of blank checks left lying on the printer.

SEND US A POSTCARD!

And don’t forget this one: make people take vacations, especially the ones who handle your money and financial records. Every employee has to be out of the office and without control over transactions for at least one week a year. Large embezzlement schemes, as I have already pointed out, often must be maintained daily, and key figures in the scheme will resist being away. And remember, most sophisticated embezzlement schemes are conducted by the long-tenured, trusted bookkeeper, controller, or chief financial officer. If any of them never takes a vacation, find out why.

As I’ve said before, nothing is foolproof. But I’m convinced that any company that follows these steps is removing a lot of temptation. Someone who wants to embezzle is probably going to apply for a job elsewhere, where the taking is easier.

5

[THE ROCK IN THE BOX
AND THE MUSTARD SQUIRTER
]

A
few years ago, a young man living in New York contacted the local phone company and asked to speak to customer service. When he was connected, he explained to the representative that he gave advice over the telephone on the stock market, and he wanted to start charging for his insight.

“Oh, so you need something like a 900 number,” the representative said.

“Yes, exactly,” the man said. “What I want to do is charge thirty-five dollars for the first minute, and then a dollar a minute after that.”

The customer service representative told the man that they had a number of area codes that could be set up to do exactly that: 900, 847, and a few others. “Give me an 847,” he said. He chose that code deliberately. Many people, from calling astrology or other self-help numbers, know that you have to pay when you call a 900 number. But, with the flurry of new local area codes that have been introduced in and around New York, not many people know about 847 and some of the other codes.

In short order, the man was all set. And not to give any kind of stock advice. He sat down at the phone with the Yellow Pages. He began at the front of the directory and moved alphabetically through it. He’d pick a category: air conditioners. He’d phone a supplier and be routed to sales. Often enough, he’d get someone’s voice mail. He’d leave a message to the effect of: “I’m from Aurola Sales. I need about ten pretty good-sized cooling units, as soon as possible.” He left his new 847 number.

A salesman would hear the message and get right on the phone. The guy would pick up, “Sorry, you have the wrong number.” Bam. He just made $35. The salesman would figure he misdialed. He’d call right back. “Sorry, wrong number.” There was another $35.

The man would do this day after day. He’d mark his page in the Yellow Pages at night and in the morning would resume from where he had left off. Sometimes, he was given pager numbers, and he’d go ahead and page people to call him at his 847 number. Because these were businesses he was calling, they all incurred large enough phone bills that they would never detect an extra $35 or $70. For the young man, it added up quite nicely. It wasn’t long before he had cleared more than $1 million. And he was never caught.

LOW RENT DOESN’T MEAN LOW RETURN

It’s a deceptive world out there today, and I have to give criminals credit. They’re clever. On top of hot checks, counterfeit documents, and embezzlement at the office, there’s a whole patchwork of little scams that prolific con artists play on a gullible public, some of them puckishly insidious. Many of them have a shape so surprising that their place in the annals of con artists is insured. They involve irresistible forces that entice even highly intelligent and wary consumers. The artful confidence man can extract money from just about anyone, because he’s an astute student of human nature and knows the power of deception.