If you make it easy for people to steal from you, they will.

For the past 25 years, the accounting firm KPMG International has surveyed the top 1,000 firms in the United States, asking them to rank the crimes that hurt their company the most. KPMG does not ask how many dollars were lost, only the ranking of the types of crime. Since the survey began, embezzlement has ranked No. 1 among these firms. Check fraud did not make the list until 10 years ago, when it ranked ninth.

Today, check fraud ranks No. 2. Under the revised Uniform Commercial Code (UCC), employers have sole responsibility for the actions of their employees. Employers are in a far better position to avoid losses by carefully selecting and supervising their employees, and by adopting other internal fraud prevention measures. By strictly following basic internal financial controls, companies can prevent or substantially reduce their risk of embezzlement.

Implement a System

Use hiring procedures that keep people with questionable backgrounds out of your organization. Check all references. Confirm employment dates and look for time gaps in a résumé. When filling positions in sensitive areas, conduct complete background checks. Use bonded temporaries in financial functions.

Establish internal controls to prevent the theft of incoming or outgoing checks. Many crime victims have traced the theft to their own mail rooms! Mail room personnel must have clean backgrounds. Bonding makes sense. The payroll and accounts payable functions are particularly vulnerable to embezzlement, and controls over those functions are needed to prevent payments to ghost employees or vendors.

Seek Outside Help

Corporations are totally responsible for any unauthorized payments made by a dishonest employee. Prevent ghost employees and improperly altered pay rates by restricting access to the personnel master file records. Adding new employees or changing pay rates should require supervisory approval and supporting documentation. To help identify and reduce exposure to fraud in the accounts payables area, engage an accounts payable audit firm with the experience to properly audit this area.

The better firms provide a detailed review of a company's disbursement procedures as part of their audit, which is generally conducted on a no-fee contingency basis. Access to the master vendor file should be tightly restricted. Changing vendor records or adding new vendors should require supervisory approval and supporting documentation. Someone independent of the buying and payment processing functions should review all new supplier entries. The review should always include a telephone call to the new supplier using a phone number obtained from an external directory source such as 411. Verify the name, address, and Federal tax ID number.

Payroll controls should ensure that only legitimate employees can be added to the system and that the rate of pay cannot be changed without supervisor approval and supporting documentation. Checks should always be mailed directly to the vendor or payee, and not returned to the requesting operating unit, department, division, or branch office. Returning checks to the requester is an open invitation for fraud because of the risk of alteration.

Mailed checks returned by the Post Office as undeliverable should not be returned to the person who processed them. Someone independent from the disbursement process should handle these exceptions and investigate the reason for their return. A separate post office box should be established for returned checks. Replace your company name and address on disbursement envelopes with a simple post office box number.

Access Matrix

Conduct periodic surprise audits of the various check control functions. Audits should test the overall system to ensure that it is secure and functioning as it should. Independent, experienced individuals trained in software systems and theft detection should conduct these audits. Create audit trails by restricting access to the master file records. Most computer systems can create an audit trail of all changes made to the master file records, including who made them and who approved them.

Someone independent should regularly print and review a report detailing the changes. This report is sometimes referred to as an "access matrix." The access matrix should list each person with system access and the person's level of access by module. Comparing the access authority of each employee should be part of this review. Determine a standard "access profile" for each employee position and restrict the master file records to these persons.

Immediately delete the names of employees who are terminated or have their positions modified, and investigate any suspicious activity. Make sure separate groups of people are responsible for the accounts payable, accounts receivable, and banking functions. Divide financial responsibilities to ensure that the people adding new vendors to the master vendor file are not approving vendor invoices for payment.

The people issuing checks should not reconcile the account. If duties are not separated, a dishonest employee could issue a check to him or herself or to a co conspirator, remove the check from the bank statement, and adjust accounting records to hide the embezzlement. Receipts and deposits must balance each day, and separate people should perform these duties to prevent forged endorsements on stolen checks.