Hi LinkedIn readers! Let’s first talk about the concept of Main Street Fraud.
When you study accounting, your examples present large corporations that have limitless staff to divide up accounting processes (i.e. segregation of duties), and limitless funds for the costs to use these systems. They have fully staffed Accounting and Human Resources Departments so that the class can focus ONLY on the accounting issues. The companies are large, perpetually profitable, publicly traded companies.
In real life, the fraud I deal with involves companies that are small, no, tiny: 1-15 people. There is rarely any Accounting Department for keeping the books, and usually no Human Resources Department for on-boarding. And they use QuickBooks, if any software at all.
A respected Fraud Examiner and Presenter, Kelly Paxton (of “Pink Collar Crime” fame), taught me a great term: Main Street Fraud. It refers to the fraud issues that affect smaller companies we find on Main Street, in Downtown, USA. Main Street Fraud happens way more often, it doesn’t make the headlines. It is not glamorous. Main Street Fraud should be a regular article appearing in the ACFE journal “FRAUD” and feature Main Street Fraud Examiners in action! [hey ACFE: HINT!]
My beloved fraudster, Diana, worked for a small plumbing company. She defrauded her employer out of $263,000. They had an employee handbook, but no internal controls. Her employer did prosecute, and she was found guilty of one felony count.
Prosecution is often costly, professionally embarrassing, time consuming, and frequently not worth it to the victimized companies. But this is where the fraud seems to happen most often. The focus of my writing is aimed at Main Street Businesses. My goal is to give them ways to prevent other Diana’s from harming you and your businesses. The victim of this article, a Main Street Business is really challenged if he wants to prosecute his fraudster, and you will see why very quickly.
So, I am starting with basics: usernames and password.
The Case of the Single Username & Password:
I had a recent client that brought me in for an embezzlement engagement. As I interviewed him, it turns out that an employee/friend of his (of 15-20 years!) had been embezzling funds for almost as many years as they had been friends. Embezzler earned the owner’s trust and took advantage of him. When the owner discovered the embezzlement, he fired the thief.
How did the embezzler do it, and how did he get away with it? Here was his process:
1. He went into QuickBooks
2. Printed out an invoice for a customer for $200
3. Then reprinted that same invoice for $100
4, Gave the customer the $200 invoice which s/he paid in cash
5. Turned in the $100 invoice to the company cashier with $100 in cash
6. And pocketed the $100 difference.
RMOHC: “Did you look into QuickBooks to trace what happened.”
Client: “You won’t find anything.”
RMOHC: “Why not? Who has access to QuickBooks?”
Client: “Everyone, we all share the same username and password.”
RMOHC: “THE SAME? Doesn’t everyone have their own username and password?”
Client: “No. Only one came with QuickBooks, so we were stuck with using what they provided. Besides, we only use QuickBooks track the invoices. The CPA does all the rest, so we don’t need more, do we?” [go ahead and gasp!]
Simple story short. The Client got ripped off for who knows how many years, because the fraudster used the company-wide username and password to get into QuickBooks. There was no way to identify the embezzler’s access vs. the owner’s access, nor was there any trail to follow.
My Asset Misappropriation Engagement suddenly became an Internal Controls System Setup & Implementation Engagement. You know what usernames & passwords are but consider these points:
1. …key to keeping your financial data safe (and reduces “Opportunity” in the Fraud Triangle).
2. …means to limit who can get access to what in QuickBooks and more.
3. …great deterrents to fraud, because an audit trail is created based on the username.
4. …wonderful tools to help the segregate financial duties.
5. …NOT HARD to set up. If you need help with them, I can help you!! [note the blatant self-promotion!]
1. Easy to set up for each user, and then the user can change it to something personal
2. Best if you avoid the common mistake of using: “password” or “123456”, or some other common pattern. These are easily hacked.
TAKE AWAY: NEVER SHARE A USERNAME AND NEVER SHARE A PASSWORD!
Contact RMOHC to help you work with usernames and passwords across your entire company! Click here: (firstname.lastname@example.org) to schedule a free initial consultation.
Michael O’Hanlan Consulting (RMOHC) is an accounting consulting firm based in the Washington, DC area. Michael O’Hanlan is a Certified Fraud Examiner and an Operational Accountant. RMOHC specializes in accounting cleanup and organization for commercial and government contract clients, fraud prevention, and training services and to keep clients profitable, legal, and compliant.