A Message to Our Valued Clients

In the interest of public health and the safety of our community, and in compliance with Governor Cuomo’s executive order, Freed Maxick has suspended onsite client work and cancelled all office visits. Meanwhile, our team is working remotely to provide the same high-quality service you have come to expect. Utilizing the best technology at our disposal, we will continue to meet all of your audit, tax, and advisory needs and help you navigate the business implications of the pandemic as it unfolds. You can reach your Freed Maxick representative directly by email or phone, or contact our main line at 716.847.2651.


Summing It Up

Keeping you ahead of the curve with timely news & updates.

What is Business Impact Analysis?

Natural Disaster CROP

Is Your Company Ready for the Business Impact of the Next Natural Disaster?

Throughout 2018, we witnessed numerous natural disasters. From Hurricanes Michael and Florence to the California wildfires, these disasters amounted to billions of dollars of damage. Despite the hurricanes and wildfires that lay siege through the Florida panhandle, Northern California, and the Carolinas, many companies fail to acknowledge the risks of these types of disasters and the detrimental effects they can have on business operations. Sadly, these devastating disasters cannot be prevented, but you can take the necessary steps to protect your business from suffering interruptions to critical systems and processes.

What is a Business Impact Analysis and Why is it Important?

A Business Impact Analysis (BIA) is an evaluation of the possible impact to various processes or systems should an interruption or stoppage occur due to an accident, emergency, or disaster. Simply put, the analysis is a way to predict the negative outcomes of disruption to a business or its processes and develop strategies to help the business recover in the event of an emergency. A BIA can provide a clear picture of the critical or essential systems or processes of your business that must be in place to continue to allow the business to run. By determining which processes or systems are critical, your business is able to address the areas which need to be quickly recovered and the amount of time necessary or allowable to recover them.

An Overview of the Business Impact Analysis Process:

Business Impact Analysis Phase 1: Getting buy-in and the green light from senior management for the BIA project. This will also be the phase where the objectives, goals and scope are defined to provide clarity to the overall project. A project manager, along with a project team, will need to be established, or this can be outsourced to a third party.

Business Impact Analysis Phase 2: Obtaining information and data is the next important phase of the BIA analysis. During this phase, the BIA project team will conduct interviews or provide users with a BIA questionnaire in order to obtain the necessary information. A BIA questionnaire is typically a detailed survey which requests knowledgeable users’ questions about their processes, timing and the maximum allowable time of disruption, any operational, financial, regulatory, and legal or compliance impacts that may arise given a disruption.

Business Impact Analysis Phase 3: Now that key information on the business processes has been collected, the information needs to be analyzed and reviewed. This is done in order to accomplish the following:

  • To determine a prioritized listing of business processes or functions, with high criticality at the top of the list.
  • To determine which individuals and technology resources are needed to maintain an ideal level of operations.
  • To determine the recovery time frame, which is the length of time required to recover a business process of function and bring operations back to normal.

Business Impact Analysis Phase 4: The BIA report and a listing of any findings is now able to be documented. The BIA report is typically presented to senior management and should include the following: an executive summary, the objectives and scope of the analysis, any methodologies used to obtain data and information, a detailed listing of the findings and supporting documentation, and recommendations to be implemented for recovery.

Business Impact Analysis Phase 5: The final BIA report should be presented to senior management in order for them to implement any recommendations or make any adjustments to their strategy planning or goals for the company’s disaster recovery or business continuity plan.

Additionally, a best practice is to complete the BIA every two years, depending on how much the business processes or functions have changed. For some businesses it may be shorter and other businesses it may be longer depending on how much has changed since the last BIA was completed.

Connect with Business Impact Analysis Consultants

At Freed Maxick, our Business Impact Analysis team works with you and your company to understand your process from requirements through deployment to understand the complete picture, not just one area.

For more information about business impact analyses, disaster recovery and business continuity plans or other related risk consulting programs and services, please contact Heather.Jankowski@freedmaxick.com or call 716.847.2651.

More Insights and Guidance on Risk Management Issues - Click here.

View full article

HIPAA Security Risk Assessment: Going Beyond Regulatory Compliance


If your organization transmits, receives, maintains, or stores protected health information, whether hard copy (PHI) or electronic (ePHI), your organization must comply with the Health Insurance Portability and Accountability Act (HIPAA). Traditionally, HIPAA applies to “covered entities” - healthcare providers, clearinghouses, and health plans, but can also apply to a covered entity’s business associates. A HIPAA business associate is any individual or entity that perform services on behalf of the HIPAA covered entity utilizing protected health information. If your organization is either a covered entity or a business associate, HIPAA’s security rule requires your organization to perform a HIPAA risk assessment. Beyond simply satisfying regulatory compliance requirements, a HIPAA security risk assessment can also provide perspective of the affect (ePHI) on business functions and any shortcomings, that can help add value to overall operations:

HIPAA regulatory compliance

A key objective of conducting a HIPAA risk assessment is to demonstrate compliance with the requirements of the HIPAA regulation for both covered entities and business associates. Failure to perform a thorough risk assessment will lead to non-compliance with Section 164.308 of the HIPAA Security Rule, which in turn can lead to investigations by the Office of Civil Rights (OCR) and subsequent fines. Fines levied by OCR can vary by degree of negligence: from the entity not knowing the violation occurred and could not have reasonably known of the violation, to intentional willful neglect at the most severe end of the spectrum. In aggregate, fines can be in excess of ten million dollars based on the severity of the violations.

Understanding of the flow of protected health information in transit and at-rest

During the HIPAA risk assessment, the flow of PHI (electronic and hard copy) through the entity will be evaluated. By identifying the modes of transmittal, receiving, maintenance, and storage of PHI inside and outside the perimeters of the entity, an entity can better understand their exposure and current practices related to PHI. With this knowledge, an entity can take a proactive approach to security and compliance, and apply corrective actions before it is too late.

Understanding of HIPAA high-risk areas and respective counter-measures

In performing a HIPAA Risk Assessment, your organization will identify high risk areas related to the security, integrity and availability of PHI, and evaluate the current security controls in place to mitigate the likelihood and/or severity of each risk event. From this evaluation, an entity can gain an understanding of the design effectiveness of their current controls, and any corrective actions needed to address gaps in control design. These assessments can also be critical in determining the potential impact of a breach of PHI on your organization.

Aid in business continuity and disaster recovery planning and availability baselines related to protected health information

A HIPAA risk assessment, requires the examination of information availability controls relative to PHI. Through this examination, an organization will gain a baseline understanding of the current efforts used to ensure the availability of protected health information. With this information, an organization can address any weaknesses relative to the availability of protected health information and adjust business continuity and disaster recovery plans accordingly. An often overlooked component of the business continuity and disaster recovery planning process is the safeguarding of PHI during a disaster event. Performing a quality HIPAA risk assessment forces an organization to consider the mechanisms in place to safeguard PHI during a disaster event.  With an availability baseline control overview, an entity can bolster their business continuity and disaster recovery plans to include appropriate handling of PHI in the case of a disaster event.

Integrity of PHI during processing lifecycle

Throughout the PHI processing lifecycle, PHI is received, maintained, transmitted, and stored. During each component of the processing lifecycle, there are many opportunities for errors to corrupt the integrity of the data. As part of a HIPAA risk assessment, an organization must identify the current mechanisms utilized to maintain processing integrity of PHI. This evaluation also identifies any unmitigated risks or gaps in control design relative to processing integrity of PHI.

Identify privacy shortcomings from internal operations

An often overlooked risk related to HIPAA privacy and security is internal operations. When an entity develops control procedures around the privacy of PHI, many entities do not have adequate safeguards in place restricting internal employees from inappropriate access. This can allow for employees who do not have a business need for the information to obtain and inappropriately remove the PHI from the entity, causing a breach, and opening the entity to possible HIPAA violations. Through Freed Maxick’s procedures, internal privacy shortcomings will be identified corrective actions will be recommended. From these recommendations, an entity proactively address any internal privacy gaps and correct them before a breach occurs.

Why Freed Maxick for a HIPAA security risk assessment?

Our team of HIPAA experts will work with you and your organization to review your entity’s needs and find the right HIPAA service for you. Freed Maxick can act as independent examiner and issue an opinion (AT-C 601) on your current HIPAA compliance, or as a consultant to help identify and address any current gaps with HIPAA compliance. By conducting a thorough risk assessment of your organization’s HIPAA compliance program, we can help you identify weak areas in your current processes, and advise you on the most effective and efficient ways to achieve and maintain compliance.

For more information regarding how Freed Maxick can complete a HIPAA risk assessment or any other HIPAA service offering questions, please contact me at joseph.loecher@freedmaxick.com.

More Insights and Guidance on Risk Management Issues - Click here.

View full article

Risk Assessment and the Art of Improving Processes and Controls

risk inventory blog

Do you employ a risk and control inventory?

No matter where you get your business news, it seems like a day never goes by without a story about a large reputable organization in hot water for a failure of management to recognize and manage a risk.

However, the news is also full of favorable press for executives and businesses navigating tricky waters and thriving despite risks.

In order to understand risk, let’s start with the dictionary definition. Risk is the “possibility of suffering harm or loss; danger”; i.e., loss of financial wealth, emotional well-being, social status, and/or physical health, etc. We take risks in order to gain a reward resulting from a given action or inaction, foreseen or unforeseen. The biggest problem with risk is that too many businesses fail to thoroughly understand and manage it, but in order to manage risk, you need to be able to measure and understand your organization’s tolerance for risk.

Then, how do we measure risk and how do we minimize risk? How do we weigh our options as we assess risks?  What is our risk appetite?

How to Make an Educated, Real Time Decision About Risk

Executives must make decisions every day, often under tremendous pressure to deliver an answer in a split second. How do you know that you are making the right decisions?

The key to making educated risk decisions in the spur of the moment is to develop a thorough understanding of the risks that your business faces and its tolerance for risk ahead of time. Armed with this knowledge, you can proactively manage existing risks and identify and respond to new risks as they arise.

Being risk-focused means having your ducks in a row. Some items to consider:

  1. Understand the risks within your industry, i.e. operational, environmental, regulatory, and technical, etc.
  2. Have an idea what your competitors are doing regarding risks and their reactions to them.
  3. Do you have a risk and control inventory?
  4. What is your organizational risk culture and what risk programs do you presently have in place?

10 Steps for Creating a Risk and Control Inventory

One way to understand the risks that affect your business or department is to create and maintain process flows and narratives that identify relevant risks and their controls. This is a very simple exercise, but many businesses never take the time to do it.

Follow these steps to create a risk and control inventory:

  1. Challenge your team to stop and think about the processes within their specific area.
  1. Identify processes that generate inputs to your workflow. (What must happen before we can start our work?)
  1. Identify where your process outputs go. (What steps happen once your work is done?)
  1. Inventory each process within your area that modifies the input you receive in order to create the output you deliver. Document these processes in writing.
  1. Plot each process from beginning to end. (Sometimes you might have to think about the actual processes by breaking them down to several pieces. You can go as high-level or as detailed as you wish).
  1. Once you understand each of the process steps, identify the risks associated with For every step, list each of the possible things that could go wrong.
  1. Then identify the corresponding controls designed to address those risks.
  1. Number your risks and controls for easy reference. Make sure that each risk has at least one corresponding control. If one doesn’t exist now, the creation of a new control could be one of the first to-dos coming out of the process. (An added dividend of this process is you may identify repetitive or non-value-added steps that can be eliminated to streamline the flow.)
  1. Create a process flow narrative. It shouldn’t merely repeat the process steps. The narrative should add value to the process by identifying associated risks and controls at each step.
  1. Refer to these risks and controls going forward by their assigned reference numbers. Documentation should be clear and precise, including just enough detail that the reader understands the risks in play.

The flow charting process may take several tries. Confer with process owners to determine how detailed you need to make the chart in order to help everyone understand their roles in identifying and controlling risks. Don’t get discouraged if you cannot get the processes down the first time. Once completed, it will help you to see where exactly the risks and controls lie. Once identified, then the next step is how to use this information in order to mitigate these risks.

Connect with a Freed Maxick Risk Management Expert

If you would like to learn more about how to document risks within your organization, contact one of our Freed Maxick risk professionals here, or call us at 716.847.2651 to discuss the risk services that we offer. Our risk professionals currently work with clients from multiple industry sectors.

We will work with you and your organization to complete an assessment that will identify risks, make recommendations for improving your current processes and controls, and advise you on risk management best practices. We look forward to working with you.

More Insights and Guidance on Risk Management Issues - Click here.

View full article

1-2-3s of Risk Management

1,2, 3s of risk management

How Risk Discovery and Mitigation Can Help Stop Future Headaches

Have you thought about how risks are discovered at your organization? Do employees understand the risks that exist within their work areas and how it impacts the overall organization?

When we’re occupied with day to day functions, we typically don’t see dangers and uncertainties lurking around the corner. These uncertainties are threats often embedded within business processes and environments that are not easily identifiable. Threats can come from sources including, but not limited to: strategic; operational; financial; legal; regulatory and compliance; credit; product/service; and natural cause/disaster risks. 

The Value of Risk Assessments

One way of understanding risk is to document processes and conduct a risk assessment.

The goal of a risk assessment is to identify potential threats to the business, down to the unit level, and to understand the root cause of these risks. Then you can start a discussion on what type of risk mitigation efforts are required: acceptance as a cost of doing business, transference (insurance) or mitigation (control environment).

These activities bring you one step closer to establishing an effective Risk Management Program.

What role does one play in this risk arena? Basically, a Risk Management Program is the identification, evaluation, and prioritization of various risks, followed by an analysis and documentation of the proper courses of action.

A Six Step Risk Assessment Plan

One way to assess risk within your immediate business area(s) is by applying the following steps:

  1. Define your business process by creating process flows with narratives.
  2. Identify the potential risk areas within the process flow.
  3. List the controls or the lack of controls (gaps) in place.
  4. Create a risk ranking scale and map specific risks to your business areas.
  5. Have risk discussions with management to determine the risk appetite and tolerance.
  6. Align risks at the Enterprise Risk level. Risks should be aligned from different business areas to    higher level risks (enterprise level).

    Bringing Uncertainty Into A Manageable Form

    Although risk management can take many forms, these initial steps will help you understand existing risks and identify potential risks. It will allow you to have a better pulse on the unknown.

    The key to risk management is to bring uncertainty into a more manageable form while not disrupting the organization’s overall business goals and objectives. The better the control over a risk, the less the likelihood of an unexpected loss. A good Risk Management Program will result in meeting the business objectives of your company or organization at reduced costs.

    You Need "All Hands-on Deck" for Risk Management

    Organizational risks must be understood and managed by all employees. The culture of a well risk-managed business can be reflected by its people, processes, and technology and how each of those assets are deployed and dynamically related to each other. Having the proper strategic efforts within the specific business units, including transparency, and the understanding of how these risks relate to the broader organization will allow risks to be managed at the tolerance level that management is willing to accept.

    Connect with a Freed Maxick Risk Management Expert

    If you would like to learn more about how to minimize risk within your organization, contact one of our Freed Maxick risk professionals here, or call us at 716.847.2651 to discuss the risk services that we offer. Our risk professionals currently work with clients from multiple industry sectors

    We will work with you and your organization to complete an assessment that will identify risk, make recommendations for improving your current processes, and advise you on risk management best practices. We look forward to working with you.

New Call-to-action

More Insights and Guidance on Risk Management Issues - Click here.

View full article

GDPR Compliance: What Your Business Needs to Know

how to tell if your business needs to be GDPR compliant

Can you avoid the headaches, costs, and resources needed to comply with the European GDPR regulation?

Aiming to territorially expand the protection of the data rights and privacy of people living in a European Union country, the new EU General Data Protection Regulation (“GDPR” or “the Regulation”) is one of the first global privacy laws affecting organizations all over the world.

Even though your business, nonprofit or governmental entity is US based, you may be subject to GDPR compliance requirements - and fines for non-compliance - taking effect on May 25th 2018. 

As the enforceable date moves closer, US based businesses need to take a serious look at whether or not they are responsible for becoming GDPR compliant. To help you make the determination about the necessity to commit budget, time and resources for compliance, it’s important to dive into the Regulation’s Material Scope and Territorial Scope. 

GDPR Material Scope

GDRP compliant

The Regulation applies to any organization that processes any personal data of an EU data subject, regardless of where the processing occurs.

The Regulation defines processing as:

“…any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”

In comparison to the majority of the privacy laws that are currently in effect, the Regulation applies a much broader approach to what constitutes ‘personal data’. In general, most organizations view personal data to be sensitive in nature; information such as Social Security Numbers, Credit Card Numbers, or Protected Health Information (“PHI”).

However, GDPR refers to personal data as:

“…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

Essentially the Regulation’s requirements apply to any information that can be reasonably traced back to a specific EU data citizen.

GDPR Territorial Scope

As stated earlier, GDPR is effectively the first global privacy law. The Regulation explicitly states that it applies to the processing of personal data of EU data subjects “regardless of whether the processing takes place in the Union or not”.

It is important to note that this does not necessarily mean that processing of all EU personal data is automatically covered by the Regulation. The Regulation provides instances of where such processing would be covered.

The first instance is that the processing of covered personal data is performed by an organization established within the Union. This means that the organization’s operations are within the EU, thus any personal data processed will be covered by EU law.

The second instance is that the processing of covered personal data is performed by an organization located outside the Union, but where the processing relates to either:

“a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”

In essence, the Regulation applies to both EU and non-EU organizations if they process covered personal data of EU citizens.

Controller vs. Processor

If your organization meets the criteria above, the Regulation views your organization as a ‘Controller’. 

Controllers are organizations that interface with the data subjects, are responsible for (1) the collection of personal data from the data subjects, (2) establishing the purpose of the processing, and (3) ensuring the rights of data subjects are protected.

However, the Regulation identifies two types of covered organizations - controllers and processors. Here’s the other shoe drop: processors must be GDPR compliant also.

Processors are third parties used by controllers to perform a portion of the processing of covered personal data. Controllers are responsible for ensuring that processors provide assurance that the data subject’s rights and protections reside within their portion of the processing.

What this means is that even though an organization may not directly offer services to the EU, or meet the territorial scope requirements, they can still be required to become compliant as a processor. If your organization provides services to a data controller involving the processing of covered personal data, your organization is required to demonstrate compliance with GDPR in order for your data controllers to be able to effectively maintain their compliance.

Why GDPR Compliance Important to U.S. Businesses?

U.S. Businesses who process personal data obtained from data subjects within the Union that fail to be compliant with the Regulation face significant penalties that can include administrative fines of up to 20 million Euros or 4% of their total worldwide annual turnover of the preceding financial year, whichever is higher.

U.S. Businesses who are not compliant and provide services involving the processing of personal data to other organizations could potentially face losing business with international clients. This would be caused by the inability to support the GDPR efforts of their clientele, who are explicitly required to ensure the compliance of any processors utilized.

Freed Maxick Can Help You Become GDPR Compliant

Our team of privacy and security control experts will work with you and your organization to review your overall compliance with GDPR. By conducting a thorough examination of your organization’s privacy practices, we can help you navigate GDPR, identify weaknesses in your current processes, and advise you on the most effective and efficient ways to both achieve and maintain compliance.

Connect with us today by completing and submitting your request for a complimentary compliance assessment review, or email Peter.Schnorr@freedmaxick.com.


More Insights and Guidance on Risk Management Issues - Click here.

View full article

New European General Data Protection Regulation (GDPR) Will Impact US Companies

GDPR ComplianceAfter years of preparation and debate, On May 25th 2018, the European Union’s General Data Protection Regulation (“EU GDPR” or “GDPR”) will go into effect and be fully enforceable.

gdpr-compliance-chart.jpgThe law’s primary objective is to protect all EU citizens’ data and privacy, as well as promoting standardization of responsibilities of in scope data controllers and processors. The regulation does not seek to impede the free movement of information in an effort to not adversely affect the EU economy. 

The EU GDPR replaces Data Protection Directive 95/46/EC. Prior to GDPR, each EU member state controlled implementation and enforcement of data protection laws. Key changes from the Directive include an increase to the territorial scope and the strengthening of the data subject’s rights.

The EU’s authoritative bodies designed and passed GDPR in an effort to harmonize enforcement across the union. Due to the GDPR’s status as a regulation, as opposed to a directive, member states no longer individually decide how to implement and enforce the law. Alternatively, the Regulation explicitly states how it must be implemented and enforced.


Major changes from the Directive to the GDPR, include an increase in the territorial scope of the law. In terms of material scope, the Regulation applies to: 

the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. 

This means the regulation applies to any processing of personal data of EU citizens, whether in an automated or manual fashion. By personal data, the law means any information relating to an identified or identifiable natural person. This data includes, but is not limited to:

  • Names
  • Identification numbers
  • Location data
  • Online identifiers, such as an IP address
  • Physical, physiological, genetic, mental or any other health information
  • Economic, cultural or the social identity of the natural person

The old Directive was only applicable to persons or entities located within the EU. However, one of the major changes of the GDPR is that the Regulation now applies to any person or entity that processes EU citizen data, regardless of the location of the person or entity. 

The Regulation applies to entities outside of the Union if the processing of personal data is related to one of the following options: 

  1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  2. the monitoring of their behaviour as far as their behaviour takes place within the Union. 

If you, or your organization, are responsible for either the offering of goods and services or the monitoring of the behavior of EU citizens that involves the processing of their personal data, your organization will be subject to this Regulation.

Data Processing Principles

The Regulation requires that all processing of covered personal data follow established principles including: 

  • Lawfulness, fairness and transparency – the data is collected and processed only when the data subject has given appropriate consent, it is necessary for the performance of a contract, is necessary for compliance with a legal obligation, or is vital to protect the interests of the data subject or the public
  • Purpose limitation – the information is collected solely for the purpose established and agreed upon by all parties
  • Data minimization – limited to what is necessary to complete the agreed upon processing
  • Accuracy – the data is ensured to be accurate, and where necessary, kept up to date
  • Storage limitation – the data is kept no longer than what is necessary for the purpose for which the personal data is being processed
  • Integrity and confidentiality – the data is processed in a manner that ensures appropriate security of the personal data 

GDPR Impact on US Companies

Under GDPR, organizations are accountable for reporting their covered processing activities to the applicable authorities, as well as being able to demonstrate their compliance with the Regulation. To be GDPR compliant, organizations must provide evidence of:

  • Data protection by design and by default
  • The creation and maintenance of a record of processing activities
  • Security of the processing
  • Data protection impact assessments and prior consultation
  • The establishment of a data protection officer
  • Codes of conduct and certification

GDPR’s Severe Fines and Penalties for Non-compliance

So why is this important to US Businesses? 

Outside of the desire to keep one’s customer’s personal data safe and private, US Businesses who are not compliant with this Regulation may face significant penalties: administrative fines up to 20 million Euros, or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Freed Maxick Can Help Your US Business Become GDPR Compliant

Our team of privacy and security control experts will work with you and your organization to review your overall compliance with GDPR. By conducting a thorough examination of your organization’s privacy practices, we can help you navigate GDPR, identify weak areas in your current processes, and advise you on the most effective and efficient ways to achieve and maintain GDPR compliance. 

For a complementary review of your organization’s situation and assessment of how to become GDPR compliant, please contact me at Peter.Schnorr@freedmaxick.com or connect with me on LinkedIn

More Insights and Guidance on Risk Management Issues - Click here.

View full article

Occupational Fraud: Could Your Office be at Risk?

Report Sheds Light on Fraud Perpetrators

Author: Adrienne Schreier

In its 2012 Report to the Nations on Occupational Fraud and Abuse, the Association of Certified Fraud Examiners (ACFE) estimates that the typical organization loses 5% of its revenues to occupational fraud every year. The median loss in the ACFE’s survey of almost 1,400 fraud cases was $140,000, and more than 20% of these cases resulted in losses of at least $1 million.

The numbers are alarming, as few companies can afford such losses. Perhaps more surprising are the ACFE’s findings related to fraud perpetrators. The employees behind such costly schemes aren’t your average criminals.

Tone at the top

Although it’s easy to place the blame for occupational fraud on lower-level employees, research tells another story: 42% of the perpetrators in the ACFE survey were nonmanagement, but 38% were managers and 18% were owners or executives.

And, in fact, the higher the thief’s position in the company, the more costly the fraud. Owners and executives were responsible for losses that were approximately three times higher than managers instigated. For their part, managers rang up losses about three times higher than regular employees caused. The ACFE attributes such statistics to the fact that those with more authority have greater access to their company’s assets. They’re also in a better position to override internal controls. Not surprisingly, the study also finds that the amount of fraud losses increases with perpetrators’ tenure and education — which typically are associated with higher positions and greater trust.

Other notable findings

Certain departments provide greater opportunities for fraud. Accounting, operations, sales, executive / upper management, customer service and purchasing areas together accounted for 77% of all cases.

Another important finding is that most occupational thieves aren’t career criminals. Of the 860 cases in the ACFE study (where information was available), only 6% involved a perpetrator who had previously been convicted of a fraud-related offense. And of 695 cases with information on the perpetrator’s employment history, 84% of them had never been punished or terminated by an employer for fraud.

Under pressure

Most fraud perpetrators turn to theft because they’re experiencing some type of pressure — at work, in their personal lives or both. The pressure could be financial — stemming from debt, addiction, gambling losses, poor investments, medical bills, divorce, or “keeping up with the Joneses.” Or pressure may come from supervisors with unreasonable performance goals or from company shareholders with high earnings expectations.

Frequently, occupational thieves are motivated by anger and dissatisfaction with their manager or the company’s leadership. Their anger may be fueled by a perception that management’s own ethics and integrity are lacking. In rare cases, perpetrators draw personal satisfaction from outsmarting their boss or the system.

Prevention tips

The ACFE report makes several recommendations to employers that want to prevent fraud:

Set up fraud reporting mechanisms. Typically, this means a confidential tipline accessible to both internal and external sources. As in previous surveys, the ACFE report found that such tiplines were one of the most effective methods of catching occupational thieves.

Provide targeted fraud-awareness training. At a minimum, a qualified fraud expert should explain to employees and managers the actions that constitute fraud, how fraud harms everyone in the organization and how employees can safely voice their suspicions. ACFE research shows that organizations with antifraud training programs experience lower losses and schemes of shorter duration than those without.

Educate on the characteristics and behavior of fraud perpetrators. It’s important that managers and employees be able to spot red flags — and know how to report them.

No program can prevent all fraud, but following these tips should help you reduce its incidence in your organization. When you know how to detect fraud schemes, you can stop them quickly and thereby reduce overall losses. In addition, potential perpetrators may be more hesitant to steal if they know that management and co-workers are on the lookout for fraud and have the means to report it.

Don’t go it alone

A little knowledge about fraud can go a long way, but companies can get themselves in trouble by acting too hastily on mere suspicions. Encourage your clients to retain fraud experts who have experience performing thorough and comprehensive investigations.     

If you have any questions about fraud perpetrators or any other issue, give us a call at 716.847.2651, or you may contact us here.

occupational fraud

More Insights and Guidance on Risk Management Issues - Click here.

View full article

White Collar Crime and Detecting Fraud Schemes

A Closer Look at the Motives and Methods of the Criminal Mind

In a recent August article from The Journal of Accountancy, author Jeff Drew takes a unique look at what forensic accounting professionals can learn from the criminal mind and the crimes they commit.

From Drew’s article, “The AICPA Fraud Task Force, a group sponsored and supervised by the Institute’s Forensic and Litigation Services (FLS) Committee, provides fraud detection, investigation, and prevention information to AICPA members. As part of this mission, the task force located and interviewed half-dozen perpetrators of significant accounting fraud. The task force summarizes the interview responses in a new report designed to help CPAs implement controls or other measures to prevent similar fraud.

The six individuals who agreed to talk to the task force did so with the understanding that their names would not be revealed. The information they provided paints a broad picture of who they were at the time each fraud took place—and how they have changed since then.”

business interruptionThe interview responses provide a more thoughtful look at several schemes in detail including the Ponzi scheme, misappropriating funds, mismanagement of collections, loan fraud, stock inflation and bogus revenue reporting. These interviews and the breakdown report of each scheme provide insights into the criminal mindset and ideas and research for CPAs to structure better internal controls and craft more insightful questions about financial statements.

To read the article in greater detail, check it out here.

More Insights and Guidance on Risk Management Issues - Click here.

View full article