The very innovations that are making businesses more dynamic and profitable in the past decade are also making them them more vulnerable to financial malfeasance. Reduced supervision due to technological advances and downsizing, the growing importance of the Internet in business-to-business relationships, and the accessibility of foreign markets have all created unheralded opportunities for professional grifters and ambitious amateurs to skim, bilk, and steal, according to leading experts

"Preventing fraud is one of the primary responsibilities of the controller," said Phil Livingston, the president and chief executive of the Financial Executives Institute.

Livingston pointed out that it is not as simple as making sure disbursements are properly executed. Gifts received by employees, the renewal of vendor contracts, and small-time theft and bartering of company services are all potentially costly breaches of security, and difficult to track.

Small Money, Big Threat
A 1995 survey of Canadian businesses by KPMG showed that even though the most common types of fraud among respondents, check forgery and inventory theft, were relatively inexpensive on a case-by-case basis, the aggregate effect was sizable. Just those two types of fraud, averaging around $5,000 per incident, made up more than 50 percent of reported frauds reported.

While extortion, which cost an average of $213,000 per incident according to the survey, is much more newsworthy, it does not represent nearly the threat that the little frauds do. Extortion is a plane crash, but more people die from clogged arteries.

When confronting the specter of fraud, controllers should remember that an ounce of prevention is worth a pound of cure. More than anything else, respondents to the KPMG survey said that the key to better fraud prevention is internal controls. There are certain basic rules that a controller should follow, and certain procedures she can establish to ensure that fraudulent behavior is made more difficult and can be caught quickly.

Risk Assessment
The first step is risk assessment. Sit down and make a list of all the steps your company takes to buy and sell services. Vendors and other external service providers are of special import, and it is important not to ignore anything, no matter how small. It is often easy for employees to arrange with vendors of small services, like office supplies and water for coolers, to inflate prices and share the markup in the form of kickbacks.

These frauds often slip below the radar of upper management because they are not directly related to a company's main business endeavor. One-time or infrequent expenses, like facilities repair and deliveries, are another golden opportunity for the unscrupulous to scam a few bucks, or less. According to a 1999 study of fraud in the hospitality industry, employees involved in price-fixing collusion with external service providers are often paid in barter. Those involved received such perks as discount travel, free construction work on their homes, or even, in one case in a major U.S. hotel, free orange juice and butter.

Fraud experts say the other area to watch in risk assessment is payroll. How often are bank deposits checked against check stubs and receipts? How are records kept? Can any employee alter computer records from which payroll or financial integrity reports are generated? If so, are there hard-copy back-ups for all computer entries, and who has access to them?

The More the Merrier
The two most important ways to protect against these frauds are detailed records keeping with regular consistency checks, and separation of duties. In other words, the more people you have handling each transaction, the better off you are.

If staff size permits, different people should approve expenses, cut checks, dispense payments, and record all disbursements. That way, there are more people to notice malfeasance, or more people who want a cut of any ill-gotten gains, making the fraud less profitable and, by extension less worth the trouble. Similarly, it is essential to have a strong organizational structure and well defined job descriptions.

Computer security and hard-copy backup records keeping are also very important in this area. Make sure that your computer system allows data viewing without entry capability, and data entry without access to summaries or other records not being used. A layered password system, changed every couple of months, is a must, especially if your company is relatively small and you have to substitute rotation of duties for division of labor.

Many consistency checks can be programmed into computer systems (preferably by the controller or top management). Many advanced accounting programs marketed to businesses include options that flag any dips or surges beyond a level set by the system operator.

It may seem tedious and annoying to go over every little alarm sounded by such a system (we all know how our particular business ebbs and flows). However, the routine is usually far less time-consuming than doing a full audit every week or month, and far less troublesome than a full fraud investigation would be. Also, run consistency checks after any staff shifting or changing of passwords.

Another kind of consistency check is the review of contract fulfillment. Random checks of vendor receipts and inventory may often uncover ongoing small-time frauds. And even when no fraud is present, vigilance keeps business partners' prices competitive and helps your bottom line.

Along with all of this goes the nebulous word, "ethics." While we have all heard the quip that business ethics is a contradiction in terms, a recent study on the effectiveness of ethics programs in preventing fraud has an interesting lesson to teach. The May 1999 Arthur Andersen study indicated that when upper management made ethics and compliance a priority, emphasizing a code of conduct not just as a structure for punishing transgressors but as a part of the company culture, fraud decreased.

Employees, the study found, often needed to justify their theft to themselves, usually through some perceived mistreatment by the company. Better to encourage a sense of inclusion and esprit de corps -- that way, in addition to the internal controls you put in place, you can use your employees' own guilt to prevent misdeeds.

For a controller, the prevention of fraud goes along with the job. A controller is expected to put in place sufficient controls to make fraud very difficult on a small scale, and impossible on a large scale. Any successful large scale fraud will, ultimately, be blamed on a lack of internal controls.