Category Archives: Business Fraud

Smartphones: The Next Fraud Frontier

Fraud and Your Phone

Touchscreen smartphone with Earth globeSmartphones quickly have become a standard part of life for much of the population, even our kids. Not surprisingly, they’ve also now become a standard target for hackers and other individuals with fraud-related intent. Understanding the risks associated with smartphones is the first step in staying secure.

Smartphone risks
According to the U.S. Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT), smartphone security hasn’t kept pace with traditional computer security. These devices rarely contain technical security measures, such as firewalls and antivirus protections, and mobile operating systems aren’t updated as frequently as those on personal computers (PCs).

Yet users routinely store a wide range of sensitive information — including calendars, contact information, emails, text messages, passwords and user identification numbers — on their smartphones. Geolocation software can track where smartphones are at any time. In addition, apps can record personally identifiable information.

Even users who have little sensitive information on their smartphones are at risk. A hacker can target a phone and use it to trick its owner, or the owner’s contacts, into revealing confidential information. They also use targeted smartphones to attack others. Using malicious software, an attacker can control a phone by adding its number to a network of devices (called a “botnet”). And smartphones can spread viruses to PCs, which can be a big problem for companies with bring your own device (BYOD) policies.

Access points
An attacker can gain access to a smartphone through a variety of avenues. Sometimes an attacker obtains physical access, as when a phone is lost or stolen. More frequently, a hacker achieves virtual access by, for example, sending a phishing email that coaxes the recipient into clicking a link that installs malicious software.

Another way an attacker can gain access to a smartphone is text message spam.  Studies show that people are three times more likely to respond to spam received by cellphone than when using a desktop or laptop computer. These texts often lead you to shady websites that install malware on your phone or otherwise seek to steal sensitive details utilized for identity theft.

Apps can be dangerous, too. A user might install an app that turns out to be malicious or a legitimate app with weaknesses an attacker can exploit. A user could unleash such an attack simply by running the app.

Protective measures
Experts suggest that individual smartphone users, as well as those charged with managing an organization’s smartphones or administering a company’s BYOD policy, take several steps to reduce the odds of damaging attacks. Encryption is probably the most highly recommended precaution. When data is encrypted, it’s “scrambled” and unreadable to anyone who can’t provide a unique “key” to open it.

Two-step authentication, such as that offered by Gmail, is advisable when available. This approach adds a layer of authentication by calling the phone or sending a password via text message before allowing the user to log in. Of course, if the fraud perpetrator has obtained the phone illicitly, these authentication services put him or her one step closer to accessing the owner’s accounts.

Many users fail to enable all of their phones’ security features. If available, an owner should always activate remote find-and-wipe capabilities, the ability to delete known malicious apps remotely, PINs or passwords, and other options such as touch ID and fingerprint sensors if available. Conversely, users should disable interfaces such as Bluetooth and Wi-Fi when not in use. They also should set Bluetooth-enabled devices to be nondiscoverable, which prevents devices from being listed during a Bluetooth device search process.

Can you hear me now?
Just as smartphone technologies are evolving rapidly, so are the threats to their security. Users and managers need to stay on top of the risks and take the necessary precautions to protect these valuable but vulnerable devices. If you have a “bring your own device” policy or are thinking about creating one, we can help make sure the right security is in place for your company. To learn more, contact Reggie Novak, CPA, CFE, at 216-831-7171 or

You may also be interested in:

How to Detect and Prevent Expense Reimbursement Fraud

Looking for New Accounting Software?


Don’t Lose Revenue to Fraud

Getting employees to join the fight against fraud

By Reggie Novak, CPA, CFE, Senior Manager, Audit and Accounting Services

ReggieNovakThe manufacturing sector is especially vulnerable to fraud schemes involving billing, corruption, and noncash assets, such as theft of inventory and equipment. Research suggests that businesses that provide a convenient and confidential way for employees to report unethical behavior are more likely to unearth embezzlement and other wrongdoing sooner and suffer smaller losses than those without established “whistleblower” policies.

To Catch a Thief
Proactive fraud prevention and detection controls can substantially reduce a company’s risk of fraud and minimize fraud losses. But all antifraud tools aren’t created equal. In each biennial edition of its Report to the Nations on Occupational Fraud and Abuse, the Association of Certified Fraud Examiners (ACFE) has consistently found that tips are the most common method of detecting fraud by a significant margin.

In the 2016 report, the ACFE found that more than 39 percent of frauds were detected by tips. About half of these tips came from employees, and the rest were reported by vendors, customers, and anonymous sources. The second most common method of detection was internal audit, which unearthed fraud in 16.5 percent of the cases in the study.

Based on these statistics, it stands to reason that reporting hotlines can be a critical weapon when deterring fraud and minimizing losses. The ACFE reports that organizations that had reporting hotlines were much more likely to detect fraud, 47 percent compared to 28 percent.

Many private, smaller companies forgo reporting hotlines, because they’re seen as expensive and too formal for closely held organizations. However the median loss suffered by small organizations (those with fewer than 100 employees) was the same as that incurred by the largest organizations (those with more than 10,000 employees) the study found. This type of loss is likely to have a much greater impact on smaller organizations.

Implementing an effective reporting mechanism can be a powerful way to prevent and detect fraud for companies of all sizes.

Minimize the Fear of Retaliation
Most employees are honest and want to do what’s best for their employers. But the prevalence of anonymous tips suggests that many whistleblowers fear retaliation from co-workers if they speak up against wrongdoers or their allegations don’t pan out. This is especially true in smaller companies where it may be harder to safeguard a whistleblower’s identity.

An important component of an effective reporting hotline is to establish policies to protect the confidentiality of whistleblowers and prevent backlash, including verbal bullying or job loss — especially when employees report on suspected wrongdoing by their superiors. Often it’s beneficial to consult with an attorney to ensure that the company’s hotline and related policies comply with employment laws and other regulations that may apply where you operate.

When selecting a manager to oversee the reporting hotline, choose someone who’s fair and impartial and engenders trust among people inside and outside the organization. Provide your “ethics officer” with authority and training to act on information conveyed through the hotline. Hotlines can also be managed externally by third-party vendors.

Promote and Facilitate Reporting
Of course, employees need to know about the hotline before they’ll use it. Once you implement a confidential telephone or Internet reporting hotline, conduct a meeting to promote it to both would-be perpetrators and those who might make a report, including employees, clients, shareholders and vendors. The hotline should be convenient to use and available 24/7 in multiple languages.

Distribute guidelines for the reporting hotline when it’s first launched, when you conduct periodic fraud prevention training and when new employees join the company. Also create print and electronic promotional materials for the hotline to display in high-profile locations, such as in the lunchroom and on the company’s intranet site.

Remember, too, that reporting hotlines can unearth other problems besides fraud, such as unsafe working conditions or drug abuse by co-workers. Some companies even set up their hotlines to serve as an electronic “suggestion box” for ways to improve operating efficiencies or offer new product ideas.

Follow Up on Tips
Employees are more likely to report fraud if the company acts on tips in a prompt, serious manner and demonstrates a zero-tolerance policy for fraud. The most serious allegations should be reviewed with legal counsel first. Often, timely follow-up necessitates the use of an outside forensic accounting specialist who is trained in collecting a thorough and defensible trail of evidence.

The best advice we can offer is, “Don’t go it alone.” To ensure your business is protected, contact Reggie Novak, CPA, CFE, Senior Manager at Ciuni & Panichi, Inc., at 216-831-7171 or

You may also be interested in:

Know Your Customers before Extending Credit

Changed Deadlines for Forms 1099

How to Detect and Prevent Expense Reimbursement Fraud

Sweat the small stuff and Prevent Fraud

By Reggie Novak, CPA, CFE, Senior Manager, Audit and Accounting Services

ReggieNovakReimbursement fraud is often overlooked by management with the thought that their employees are trustworthy and the loss is small and not worth the time and effort to track. In reality, expense reimbursement schemes account for nearly 14 percent of all occupational frauds and result in a median loss of $30,000 per year, according to the Association of Certified Fraud Examiners (ACFE). And if your employees think management is “looking the other way,” dishonest employees may take advantage of their good natured managers.

Keeping your organization safe from thieving employees demands strong controls, tough actions against perpetrators and management leading by example. Whether you’re a multinational corporation employing sales representatives traveling throughout the world or a small not-for-profit organization, you can fall victim to expense reimbursement fraud.  Forensic accounting experts can help companies implement measures to detect and prevent expense reimbursement fraud.

Most common methods
According to the ACFE, expense reimbursement schemes generally fall into one of these four categories:

  1. Mischaracterized expenses. This involves requesting reimbursement for a personal expense by claiming that it’s business-related. For example, an employee takes a family vacation and requests reimbursement for meal and hotel expenses by submitting actual receipts and a false expense report.
  2. Overstated expenses. Overstating expenses involves inflating the cost of actual business expenses — for example, by altering receipts or obtaining a refund for a portion of the expense. A common scheme is to buy a first- or business-class airline ticket with a personal credit card, submit the expense for reimbursement, and then return the ticket and replace it with a coach ticket.
  3. Fictitious expenses. Obtaining reimbursement for nonexistent expenses by submitting false expense reports and fake receipts or other documentation would fall under the category of fictitious expenses. A common technique is to obtain a stockpile of blank receipts from taxicab companies or other vendors and submit them over time.
  4. Multiple reimbursements. This scam involves requesting reimbursement for the same expense several times — typically by submitting photocopied receipts or different forms of supporting documentation (for example, receipts, email confirmations, canceled checks, tickets and invoices).

These schemes tend to continue for long periods of time before they’re detected. The ACFE reports that the median duration of employee reimbursement frauds is 24 months.

Detection methods
Forensic accountants use a variety of techniques to detect employee reimbursement fraud. For example, they might review reimbursement documentation to look for photocopies, duplicates or fakes; compare employees’ expense reports and supporting documentation to check for multiple claims for the same expenses; and compare the times and dates of claimed expenses to work schedules and calendars to look for inconsistencies, such as expenses claimed during vacations.

Forensic experts also search for red flags that may signal fraudulent activity or warrant further investigation. For example, they might look for employees who:

  • Claim disproportionately larger reimbursements than other employees in comparable positions,
  • Pay large expenses in cash despite access to a company credit card,
  • Submit consecutively numbered receipts over long periods of time, and
  • Consistently submit expenses at or just under the company’s reimbursement limit for undocumented claims.

Another technique is to look for employees whose expense patterns violate Benford’s Law — a statistical analysis tool that can reveal fabricated numbers.

An ounce of prevention
In addition to detecting expense reimbursement fraud, forensic accounting experts can help companies implement preventive measures. These include written expense reimbursement policies and procedures requiring detailed expense reports that set forth amounts, times, places, people in attendance and specific business purposes. Employees also should be asked to use company credit cards, submit original, detailed receipts (no photocopies), and provide boarding passes for air travel. Periodic audits of travel and entertainment expense accounts can also have a powerful deterrent effect.

The best advice we can offer is, “don’t go it alone.” Contact Reggie Novak, CPA, CFE, Senior Manager, at Ciuni & Panichi, Inc. at 216-831-7171 or to learn how you can protect your business from reimbursement fraud.

You may also be interested in:

Donating Appreciated Stock Offers Tax Advantages

Fraud and Inventory Loss

Fraud and Inventory Loss

Hunting for misplaced “goods”

Fraud experts can help recover lost items
ReggieNovakIf your inventory numbers are not adding up during your year-end physical inventory, it may be time to uncover the source of the discrepancy and a fraud expert can help. Before assuming theft, a fraud expert determines whether the items were really stolen or were simply misplaced. In many cases, employees keep sloppy records or fail to follow proper procedures, resulting in “missing” inventory. For example, a company without a location assignment for each item, which can be an effective method of keeping tabs on overflow stock and returns, is likely to misplace inventory.

If there’s no innocent explanation for missing inventory, then the fraud expert looks for signs in the environment conducive to fraud. For example, a company with poor internal controls over purchasing, receiving and cash disbursements is at high risk of inventory theft. In addition, one person performing multiple duties within any one area of the Company can easily commit and conceal fraud.

If the expert believes inventory could have been stolen, he or she combs the records for clues. Anything that doesn’t follow established inventory procedures could be a red flag — such as odd journal entries posted to inventory, large gross margin decreases or sudden problems with out-of-stock inventory.

Exposing irregularities
Next, the expert works to prove the fraud. Inventory fraud may leave a paper (or electronic) trail, so forensic accountants typically review journal entries for unusual patterns. An entry recording a physical count adjustment made during a period when no count was taken obviously warrants investigation. The expert follows up by tracing unusual entries to supporting documents.

Vendor lists also may show suspicious patterns, such as post office box addresses substituting for street addresses, vendors with several addresses, and names closely resembling those of known vendors. Even if they’ve found no evidence of nonexistent vendors, fraud experts look at vendor invoices and purchase orders for anomalies such as unusually large invoices or alleged purchases that don’t involve delivery of goods.

Discrepancies between the amounts due per invoice, the purchase order and the amount actually paid warrant investigation. Finally, experts familiarize themselves with the cost, timing and purpose of routine purchases and flag any that deviate from the norm.

Catching the thief
Although a count performed by employees may disrupt normal business routines, it’s an effective way to learn exactly what merchandise may be missing — and could lead directly to the thief (unless the thief is involved in the physical inventory count!). Fraud experts sometimes recommend hiring an outside inventory firm to perform the count and value the inventory.
Whether employees or inventory specialists perform the job, a fraud expert carefully observes warehouse activity once employees realize a count is imminent. Thieves may attempt to shift inventory from another location to substitute for missing items they know will be discovered.

It’s important to confirm physical inventory as well.  Inventory at remote locations also can disappear, so fraud experts often will confirm quantities with the storage facility or go with the client to inspect them personally. Whenever possible, it’s best to perform a count in person rather than delegate the job to someone who may not be trustworthy. Unfortunately, sometimes it’s theft. But now you have the knowledge and evidence to address the issue appropriately.

The best advice is, “Don’t go it alone.” Contact Ciuni & Panichi, Inc. Certified Fraud Examiner, Reggie Novak, CPA, at 216-831-7171 or

You may also be interested in:

Go Green and Save

Selling your Business and its Customers

© 2016

Protect your business with good internal controls

The cost of fraud is too high to ignore

By:  Mike Klein, Partner

MikeKlein9848The 2013 Global Fraud Report survey reports 70 percent of companies suffered from at least one type of fraud, up from 61 percent in the previous poll. Businesses reported physical assets or stock theft increased four percent, internal financial fraud or theft up four percent, and vendor, supplier and procurement fraud up seven percent in just one year. This is a trend business leaders cannot ignore.

Your best defense against fraud is to implement effective internal controls. Your CPA is your best resource to test your internal controls and suggest strategies to protect your business. However, keep in mind an audit doesn’t specifically focus on fraud defense and detection, but rather determines whether your financial reporting meets Generally Accepted Accounting Principles (GAAP) standards. Testing your internal controls is not a requirement in most audits of non-publically traded businesses.

To gain further insights into how your controls are operating, consider having your CPA firm perform agreed-upon procedures to test the operating effectiveness of your controls. Your CPA firm can also help you perform a gap analysis to identify areas of weakness that make your organization susceptible to fraud.

If you suspect you are a victim of fraud, consider engaging a forensic accountant. He or she can conduct an actual investigation to determine if fraud has occurred and help you quantify the amount.

Following are practices you should have in place right now to protect against fraud:

Draft and implement an ethics policy. When employees know such a policy exists, and management is following it, they’ll also know attempted fraud will be much riskier. Equally important to a strong ethical position is a clear delineation of internal control responsibilities.

Spread risk-intensive tasks among several employees. Authorization duties (check signing or releasing a wire transfer), custody (access to the blank check stock or the ability to establish a wire transfer), and recordkeeping (recording transactions in the accounting system) should be separated so one individual cannot complete a transaction from start to finish. For many businesses, proper segregation of duties can be difficult to achieve.  In these instances, company owners should consider having the unopened bank statements delivered to them directly. The owners should then review the bank statements and the check images on-line for any transactions appearing unusual, and follow up to understand them.

For example: controls over your vendor list and payments. Implementing controls such as requiring vendors to sign a code of conduct annually, ensuring the vendor set-up process incorporates segregation of duties and implementing check validation of select vendor payments can help deter and detect fraudulent activities.  Business owners should also review the vendor list at least annually and question any vendors on the list that seem unusual.  Each review of the vendor list may help to uncover potential instances of vendor-related fraud, highlight opportunities for strengthening controls around vendor-related files, and mitigate future exposures.

Secure your facility. Lock up valuable assets. Invest in video monitoring systems, time clocks for tracking the work of hourly employees, and alarm systems and use them. Implement IT security policies such as passwords and server and software authentication to prevent fraudsters from stealing or vandalizing critical information (or money and products).

Know what you have and what you don’t. Scrupulously maintain your financial statements and regularly review them for suspicious budget-to-actual variances. Create invoices unique to your company and sufficiently informative so they are difficult to fabricate. And use pre-numbered, consecutive documents as a quick indicator if things are out of order.

If you suspect fraud, address it. Contact an accounting firm specializing in fraud services to investigate. But don’t inform your employees. The element of surprise can be helpful. When employees don’t know when the process is scheduled to begin, they can’t preemptively fix mistakes or, in worst cases, cover their tracks after committing fraud.

For an internal control assessment to help protect your business from fraud contact Mike Klein, CPA, MBA, Ciuni & Panichi, Inc., 216-765-6943 or for more information click here.

A tip-line protects your business from fraud

Fraud tip-line effectively helps prevent fraud

ReggieNovakTip-lines are one of the most effective tools organizations possess to detect and prevent fraud. In the most recent studies, companies with tip-lines experienced 59 percent smaller than the median loss for frauds then organizations without them. Despite their effectiveness, the same studies reported that approximately 15 percent of small businesses had tip-lines compared to 64 percent of larger organizations.

A good tip-line provides employees and others with an outlet to report unethical activity, defend against lawsuits, and emphasize fairness in an organization. Early reporting enables companies to take corrective action before a problem creates a serious threat.

The Association of Certified Fraud Examiners “2014 Report to the Nations on Occupational Fraud and Abuse” reported the most common detection source cited for frauds occurring at affected organizations is internal tips. Because tip-lines encourage and facilitate anonymous reporting, they are a proven fraud deterrent that can be successfully implemented without burdensome effort or expense.

An effective fraud tip-line should include the following features:

  • Provide an anonymous and confidential whistle-blower reporting service for potential fraud, ethical issues, and other concerns.  Anonymous and confidential reporting mechanisms help foster a culture whereby company employees are more likely to report or seek guidance regarding potential or actual wrongdoing.
  • Reports may be submitted 24-hours a day by employees, volunteers, board members, and others within a registered organization.
  • Allows users to have the ability to use a secure online form or a toll-free voicemail number to report wrong doing without the fear of retaliation.  The fear of retribution is generally strong among potential whistleblowers and such fear may adversely affect the effectiveness of the internal reporting process. Trust in a company’s whistleblower process, including making hotline reports without fear of retaliation, is essential to motivate employees to report suspected unethical or unlawful conduct internally.
  • Once a tip has been reported, all information is conveyed directly to those within the organization as designated by the organization’s management or the board of directors.
  • Could offer financial as well as non-financial reporting incentives, such as cash rewards or extra vacation days, for whistleblower reports that lead the company to identify suspected unethical or unlawful activity.

Companies need to evaluate existing tip-lines to ensure they are operating as intended and are effective in preventing and identifying unethical or potentially unlawful activity, including corporate fraud, securities violations and employment discrimination or harassment. This evaluation should be a key element of every company’s assessment of its compliance and ethics program.

It is more crucial than ever for organizations to have effective whistleblower tip-lines as part of their corporate compliance programs so employees (and other company stakeholders, such as vendors) are motivated to report suspected unethical or unlawful conduct internally and not incentivized to first turn to regulators.

Reggie Novak is a Senior Manager in the Audit and Accounting Services Group.  As a Certified Fraud Examiner, Mr. Novak can assist you with prevention services, including recommending internal controls and other measures to be implemented to prevent theft or misappropriation.  If fraud is suspected, he can investigate and present his findings and recommendations.  Contact Reggie Novak at 216.831.7171 or for more information.

You may also be interested in:

The Costly Consequences of Fraud

More than Money:  Customer-Smart Invoicing

Fraud: Red Flags Rule Tackles Identity Theft

Are you covered?

stop fraudSeveral years ago, the Federal Trade Commission (FTC) issued its “Red Flags Rule,” which requires financial institutions and other organizations to implement a written identity theft prevention program. The rule is designed to detect the warning signs of identity theft in their day-to-day operations.

Last year, pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act, the SEC and the Commodity Futures Trading Commission (CFTC) jointly adopted their own Red Flags Rule for entities under their jurisdiction.

The FTC’s rule applies to financial institutions and “creditors.” A creditor is defined as an organization that does one or more of the following:

  • Obtains or uses consumer reports in connection with credit transactions,
  • provides information to credit reporting companies in connection with credit transactions, or
  • advances funds to or on behalf of people (other than incidental expenses in connection with services the organization provides).

Creditors that establish certain covered consumer accounts must implement an identity theft prevention program.

The new rules don’t expand the scope of the rules that were already in place. According to the SEC, however, the adopting release includes examples and small language changes “which may lead some entities that had not previously complied . . . to determine that they fall within the scope of the rules.”

Examples of SEC-regulated entities that might be considered “financial institutions” include but are not limited to: 1) broker-dealers that offer custodial accounts, 2) registered investment companies that offer wire transfers or check-writing privileges, and 3) investment advisors that hold transaction accounts and are permitted to direct payments or transfers out of those accounts. In addition, some SEC-regulated entities may meet the definition of “creditor,” such as investment advisors that advance funds to investors to permit them to invest in a fund.
All companies, and not just public companies, should review their activities to determine whether they’re covered by the Red Flags Rules.

For more information or if you have concerns about your organization, contact Reggie Novak at 216-831-7171 or

Reggie is a Senior Manager in the Audit and Accounting Services Group. As a Certified Fraud Examiner, Mr. Novak can assist you with prevention services including recommending internal controls and other measures to be implemented to prevent theft or misappropriation. If fraud is suspected, he can investigate and present his findings and recommendations.

You may also be interested in:

The Costly Consequences of Fraud

Internal Controls

© 2014

The Costly Consequences of Fraud

How Fraud Can Impact Your Company’s Value

ReggieNovakThere are many negative consequences of occupational fraud, such as financial losses, public embarrassment, and diminished employee morale, but one that is often overlooked is how fraud affects a company’s value.  The value of your company can become distorted by illegal schemes involving asset misappropriation, corruption, and financial misstatements.  All of these things can make it difficult to get an accurate valuation.

To ensure they come to realistic conclusions, valuators must adjust financial statements when the existence of fraud is known.

Business valuations are derived from financial statements to estimate value.  Unless specifically stated in the engagement letter, valuators do not audit financial information or investigate fraud.   So if financial statements contain fraudulent numbers, the valuation may be inaccurate, unless properly adjusted.

If fraud is suspected, the valuator will most likely engage a forensic colleague to determine the extent of the issue.  This will increase the scope of the engagement but ensure that a proper value can be established.

Importance of internal controls
While a number of factors are considered, size matters when valuators and forensic experts are assessing the risk of fraud.  A business that has less than 100 employees tends to suffer the highest median losses, according to the Association of Certified Fraud Examiners.

The internal controls a company has put in place, such as the policies and procedures to protect its assets, improve efficiencies, and ensure financial statements, will tell a valuator a lot about its potential fraud risk.  Controls such as a fraud training program and whistleblower hotline are considered to be a good first line of defense against such issues.

There are other examples of internal controls that minimize fraud and protect a company’s value.  These include:

  • Restricted access to physical assets, including locks, passwords, and security systems
  • Formal job descriptions, codes of conduct, and employee manuals
  • Mandatory vacation policies
  • Duplicate signatures on checks above a preset dollar amount
  • Monthly bank reconciliations and physical inventory counts
  • Background checks on prospective job candidates
  • Annual or surprise audits

Even these do not completely prevent fraud.  If a manager is lax in his/her supervision of employees or overrides the system, the environment is ripe for fraud to thrive.

Make adjustments
Valuators will take steps to account for additional risk if fraud or poor accounting practices are known or suspected.  If an unscrupulous CFO were to prematurely post unearned or fictitious sales to boost his bonus, this would cause the company’s value to be overstated since the earnings or assets are now exaggerated.

To account for the CFO’s actions, a valuator might increase the company’s specific risk (a component of the cost of capital).  By increasing the cost of capital, it has the inverse effect on the valuation.

Valuing a company, building a case
Because valuators typically don’t look for fraud, be sure to discuss any concerns about the accuracy of financial statements when you engage an expert, particularly if a fraud investigation is already underway.  Such information will enable the valuator to make appropriate adjustments and, if necessary, help your litigation team gather evidence and assess possible damages.

Reggie Novak is a Senior Manager in the Audit and Accounting Services Group.  As a Certified Fraud Examiner, Mr. Novak can assist you with prevention services, including recommending internal controls and other measures to be implemented to prevent theft or misappropriation.  If fraud is suspected, he can investigate and present his findings and recommendations.  Contact Reggie Novak at 216.831.7171 or for more information.

Charles Ciuni is the Chairman of Ciuni & Panichi, Inc. and a Certified Valuation Analyst.  Mr. Ciuni can provide the comprehensive and detailed analysis required for a business valuation.  He also specializes in litigation support services.  Contact Chuck Ciuni at 216-831-7171 or

You may also be interested in:

Internal Controls for Business Owners to use Today

© 2014

Fraud and Technology – Is it harming your business?

Fraud Schemes to Watch Out For

cyber crimeCybersecurity breaches, such as recent hack attacks on Target, Neiman Marcus and J.P. Morgan, grab all the headlines. But most businesses are likely to fall victim to smaller-scale technology fraud — most often schemes perpetrated by their own employees. Here are several to look out for.


Technology can play a critical role in helping prevent and detect fraud, but it’s also used to perpetrate and disguise wrongdoings. The Web in particular has opened up new virtual avenues for fraudsters.

Consider phishing — one of the oldest types of Internet fraud and still immensely popular. Phishers might e-mail executive, accounting or HR staff, posing as a legitimate entity such as a bank or governmental agency, and encourage recipients to download malicious software (malware). Such malware allows the fraudsters to record keystrokes and uncover passwords. The phisher can then use this information to divert funds from company accounts or steal proprietary data.

Purchasing fraud

Respondents to the most recent Association of Certified Fraud Examiners (ACFE) survey estimated that the typical organization loses 5% of its annual revenues to employee fraud. In this survey of fraud examiners, the ACFE revealed that the reported schemes committed by workers in the IT department caused a median loss of $50,000.

IT staffers might, for example, accept kickbacks from vendors or submit fraudulent invoices for equipment or software that wasn’t actually obtained. The risk of this type of fraud is especially high when the same person who approves purchase orders and receives shipments also approves invoices.

Internal Control Overrides

Employees can also wield technological knowledge to override internal controls intended to prevent fraud.

Organizations that fall prey to tech-related fraud share some common traits. These include poor or nonexistent technology controls (passwords, data validity checks) and lax oversight of technology spending (such as lacking a formal vendor bidding process). Also, many of the employees of such companies have low “technology IQs.”

Detection and Prevention

Certain behavioral patterns can help you spot and stop such occupational fraud schemes. Red flags should go up if IT staff:

  • Have been experiencing financial difficulties
  • Appear to be living beyond their means
  • Are reluctant to share responsibilities with other staffers
  • Don’t take vacation or sick days
  • Are evasive when asked for information

To prevent illicit activities from occurring in the first place, conduct thorough background checks on all prospective IT employees. Also consider offering an anonymous tipline to staffers, customers and vendors. These reporting mechanisms have repeatedly proven to be one of the most effective tools for fighting fraud.

Thief-proof Controls

Technology fraud can be costly, so enlist the help of a specialist to ensure that what keeps your business running isn’t being used to harm it. A qualified fraud expert can conduct risk assessments and help design internal controls that even savvy fraudsters will find difficult to override.

Reggie Novak is a Senior Manager in the Audit and Accounting Services Group.  As a Certified Fraud Examiner, Mr. Novak can assist you with prevention services, including recommending internal controls and other measures to implement.  If fraud is suspected, he can investigate and present his findings and recommendations.  Contact Reggie Novak at 216.831.7171 or for more information.

You may also be interested in:

The Costly Consequences of Fraud

Internal Controls
© 2014

Fraud and Your Employees’ Expectation of Privacy

Prevent Fraud – Write it Down

lockerEmployers can effectively reduce their potential fraud liability for violations involving workplace searches by lowering employees’ expectation of privacy in the workplace.  The best method that employers can use to lower this expectation of privacy is to adopt a written privacy policy that puts all employees on notice that the workplace is not private and require all employees to sign it.

Courts have generally ruled that when there is a written policy that usage of employee communications devices is subject to monitoring at work, employees have no (or a very low) expectation of privacy, and their devices may be subject to search.  This can, however, turn on a number of factors, such as whether or not the policy has been enforced in the past.
A written fraud prevention and privacy policy should be posted in a prominent place in the workplace and contain the following information:

  • Provide that, in order to maintain the security of the employers operations, management may gain access to and search all work areas and personal belongings, including desks, file cabinets, lockers, briefcases, handbags, pockets, and personal effects.
  • State that workplace areas are subject to surveillance and business phone calls may be monitored.
  • Make it clear to employees that the employer reserves the right to physically and digitally search any devices with storage or memory capabilities that they might bring to work and to make copies of any files found therein.
  • Notify employees that computer systems are solely for business use, and that the Company reserves the absolute right to review, audit, monitor, and disclose all matters sent over the system or placed in storage.  Computer systems specified in the policy should include Company email, internet, hardware, and software files.

In addition to a written fraud prevention and privacy policy, employers can use the following measures to limit their potential liabilities for violations involving workplace searches:

  • Requiring employees to provide keys to all personal locks
  • Retaining a key to all desks, lockers, file cabinets, etc.
  • Obtaining consent to search workplace areas.

As always, if there is a question of whether or not you’re allowed to perform a search of your employee’s possessions in the workplace, it’s best to consult with an experienced employment attorney first.

Reggie Novak is a Senior Manager in the Audit and Accounting Services Group.  As a Certified Fraud Examiner, Mr. Novak can assist you with prevention services including recommending internal controls and other measures to be implemented to prevent theft or misappropriation.  If fraud is suspected he can investigate and present his findings and recommendations.  Contact Reggie Novak at 216.831.7171 or for more information.

You may also be interested in:

Use These Three Tax Credits on Your 2014 Return

Save on your taxes by accelerating deductions

© 2015

Internal Control Framework Changes: The impact to your company

The new COSO framework doesn’t impact me.  Does it?

There has been a lot of buzz recently and rightfully so about the changes made to the internal control framework as we currently know it.  On May 14, 2013, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released an updated version of its Internal Control—Integrated Framework.  COSO will consider the 1992 Internal Control—Integrated Framework as having been superseded by the 2013 framework after December 15, 2014.

changesIf you work for a public company, you may know that Sarbanes-Oxley Act (SOX) Section 404 requires management to select an internal control framework and then assess and report on the design and operating effectiveness of their internal controls annually.  The majority of U.S. publicly-traded companies have adopted COSO’s 1992 framework to do this, and therefore, will be required to adhere to the new COSO framework.

So why should I care about COSO’s new framework if I don’t work for a public company?

Well, in the spirit of continuous improvement, organizations should continually reassess their system of internal control to identify opportunities to improve the efficiency and effectiveness of that system.

Let’s also think about the many changes occurring since 1992 that have significantly increased business risk, resulting in a much greater need for accountability, oversight, and competence than ever before.  This need extends from the board of directors, all the way down to the entry level staff employees just beginning their careers.

Markets continue to globalize; business models have changed significantly; the complexity and pace of change surrounding rules, regulations, and standards have intensified the demands on organizations; and last, but definitely not least, our reliance on evolving technology continues to grow.

Finally, let’s not forget about some of the large-scale internal control breakdowns of recent history, such as Enron, WorldCom, Quest Communication, and Cendant.   These breakdowns have taught us all valuable lessons around a number of items, such as the effects of management override, ineffective board or audit committee oversight, lack of segregation of duties, conflicts of interest,  poor or nonexistent transparency displayed by key officials, and unbalanced compensation structures.

So, the introduction of this new COSO framework gives you the perfect excuse to reassess your organization’s system of internal control.  Need more, let’s move on.

The 1992 COSO framework introduced 17 relevant principles associated with the five components of internal control, but did this conceptually.  The new COSO framework not only codifies the 17 underlying principles, it streamlines the original framework; increases the focus on operations, non-external financial reporting. and compliance objectives; and enhances usability.

As COSO has explained, the 17 principles remain broad as they are intended to apply to for-profit companies (including those that are privately held), non-profit entities, governmental entities, and other organizations.  COSO has also included points of focus within each of the 17 principles.   These points of focus represent important characteristics associated with each principle and provide helpful guidance to assist management in designing, implementing, and assessing whether the relevant principles are present and relevant.

COSO believes this framework will provide organizations significant benefits, such as increased confidence that controls mitigate risks to acceptable levels and reliable information supporting sound decision making.  The time is now to take a look at the new and improved COSO framework and consider how it can create value for your organization, regardless of how mature your organization’s system of internal control may be.

For more information contact Reggie Novak at 216-831-7171 or

Reggie is a Senior Manager in the Audit and Accounting Services Group.  As a Certified Fraud Examiner, Mr. Novak can assist you with prevention services including recommending internal controls and other measures to be implemented to prevent theft or misappropriation.  If fraud is suspected he can investigate and present his findings and recommendations.


Internal Controls for Business Owners to Use Today

internal controlsTightening Internal Controls can
Protect your Company

By Reggie Novak, Senior Manager, CPA, CFE, Ciuni & Panichi, Inc.

In today’s fast-moving marketplace, businesses face numerous challenges, including management of security risks and fraud. From a breach in online security to misuse or theft of company funds, organizations are susceptible to both internal and external acts of fraud. Small businesses can be the most prone to risk because they often do not have adequate protections in place to guard their assets. The best method to aid in the detection and prevention of fraud, as well as protect your company’s assets, employees, and customers, is to establish an effective system of internal controls.  The following internal controls can help all organizations fight the good fight against the risk of fraud:

1. Segregate duties. The duties of authorization (signing a check or releasing a wire transfer), custody (having access to the blank check stock or the ability to establish a wire transfer), and recordkeeping (ability to record the transaction in the accounting system) should be separated so that one individual cannot complete a transaction from start to finish. For many businesses, proper segregation of duties can be difficult to achieve. In these instances, company owners may want to consider having the bank statements delivered to them directly and unopened. The owners should then review the bank statements and the check images for any transactions that appear unusual, and follow up on these transactions to obtain an understanding of them.

2. Review authorized signors. Carefully consider who your authorized signors are (authorization of the transaction). Those individuals should not have access to the blank check stock (custody of the asset) nor have the ability to enter the transaction into the accounting system (recording of the transaction). The use of a signature stamp, although efficient, may be problematic in that you must have separate controls to ensure that the stamp is not readily available for inappropriate use.

3. Consider requiring dual signatures. Your company may also want to consider the use of dual signatures. A dual signature policy includes the establishment of a dollar threshold over which checks require two signatures. The utilization of dual signatures establishes an element of segregation of duties for disbursements over a specified dollar threshold in that these disbursements require more than one individual to authorize the transaction.

4. Controls over wire transfers. The use of wire transfers has increased significantly over the years, and segregation of duties around wire transfers is paramount. The responsibilities for establishing a wire transfer should be segregated from the responsibility of releasing the wire transfer. If this segregation is not possible, consideration should be given to using a call-back procedure in which the financial institution will call a specified individual when a wire transfer is initiated. Most important, the call back cannot go to any individual who is able to initiate a wire transfer.

5. Reconcile bank accounts in a timely manner. The bank reconciliation process should be completed in a timely manner by someone who is independent of the cash disbursement process. The bank reconciliation process should also include a review of the bank statement and the check images that are returned with the bank statement for unusual transactions. Any unusual items should be investigated and evaluated when necessary.

 6. Utilize controls offered by your banks or financial institutions.  Many banks offer services, such as positive pay, that can provide your business with the added assurance that bank transactions are properly authorized.  With positive pay for ACH transactions, a bank matches the details of ACH payments with those on a list of legitimate and expected payments provided by the account holder.  Only authorized ACH’s are allowed to be withdrawn from the account and exceptions are reported to the customer for review.

7. Controls over your vendor list and payments.  Implementing controls such as requiring vendors to sign a code of conduct annually, ensuring the vendor set-up process incorporates segregation of duties, and implementing check validation of select vendor payments can help deter and detect fraudulent activities.

 For more information contact Reggie Novak at 216-831-7171 or

Reggie is a Senior Manager in the Audit and Accounting Services Group.  As a Certified Fraud Examiner, Mr. Novak can assist you with prevention services, including recommending internal controls and other measures to be implemented to prevent theft or misappropriation.  If fraud is suspected, he can investigate and present his findings and recommendations.