A cautionary tale

This article first appeared in the Scottish Motor Trade Association Auto Insight magazine in February 2022 – SMTA Magazine – SMTA

I suspect most people remember with great affection, their first car.  Mine was a V reg, 1979 1.3 Ford Escort Mark II in Midnight Blue with raspberry upholstery.  What it lacked in speed it made up for in looks.  Sleek, with a chrome bumper, side-trim, wing mirrors and door handles; I spent many a Saturday afternoon lovingly washing and polishing my automotive treasure.  I had worked endless shifts through the summer of 1989 to save the £350 required to relieve a local man, a new father, of what had been his pride and joy until his baby girl arrived and a Ford Sierra beckoned.

Valerie (doesn’t everyone name their first car?) was a head-turner and she took me to places I had never been before – like Leven!  It is fair to say, I was very fond of that car.  Sadly, like many passionate affairs, our relationship was fated to burn bright but short.  A student at the time, still living at home, my mother woke me one night to say she had looked out the curtains and noticed my Valerie wasn’t parked in her usual spot, right in front of the house.  She had been there when she had retired for the evening, so she wondered if I was out on some secret, nocturnal mission.  I was not.  I had been gently snoring, dreaming of perfectly balanced accounts.  While I slumbered, someone had stolen my Valerie.

The police came and took notes.  They laughed when I told them the make and model.  Who knew Mark IIs could be unlocked and started with a simple Yale key?   Valerie was found a couple of days later, abandoned and burnt out. My first automotive love affair lay in ashes (and melted vinyl).

The moral of this sorry tale?  It’s important to protect what you value.  Had I invested just a few pounds in an anti-theft bar for my steering wheel, it’s likely Valarie would not have been worth the bother for the joyriders.

What are the lessons?

What do we do to protect the value of our businesses?  Buy insurance is an obvious one – for business interruption, fire, flood and pestilence.  We may consider life or keyman insurance. We use legal agreements to protect brands and intellectual property.  We deploy contracts of employment and complex commission and bonus structures to secure the loyalty of our key employees.  We spend countless hours on succession planning and identifying new talent. We invest in equipment and the latest technology to help us keep ahead of the competition and protect what we have worked hard to create.

But like my simple anti-theft bar, are we missing something?  How well are we protecting our businesses’ data?

The National Office for Statistics Cyber Security Breaches Survey 2021 highlights that 4 in 10 businesses reported having cyber security breaches in 2020.  This is highest amongst medium-sized businesses – 50 to 249 employees.  There are virtually no businesses which do not have some form of digital exposure. Most have several when you consider the wide-range of internet connected devices.  Current technologies mean that even surveillance cameras and alarm systems can be susceptible to attack.

The problem may be within

Most businesses will use online banking and some form of internet-enabled, if not cloud, accounting software together with online or EPOS card payment systems.  When you then consider company websites, mailboxes and social media accounts there are many potential points of vulnerability.  This news is as current as my old Mark II, I hear you say.  True – most (but alarmingly not all!) businesses will be doing all they can to protect their systems from cybercrime by deploying IT and software security measures.  But what are you doing to protect your business from data theft and financial crime perpetrated by what you consider to be one of you most valuable assets – your people?

I subscribe to a daily financial newsletter.  Barely a day goes by where a fraud or financial theft by an employee isn’t highlighted.  It is much more widespread than business owners would like to consider.

One recent case, which led to a 26-month prison sentence for the perpetrator, highlighted the vulnerability of businesses which rely on just one payroll administrator and pressured finance departments.  Between July and November 2018, a payroll clerk diverted over £55,000 to his own bank accounts.  He targeted final salary payments to employees who were leaving.   One former employee queried why they failed to receive the higher settlement payment they were expecting. At this point the payroll clerk was questioned by police.  Unbelievably, once released pending further investigation, he commenced employment within the accounts department at another company but continued to fraudulently divert funds of over £7,000 into his own accounts.

While this case is an example of theft and a gross breach of trust, it highlights that without the correct controls in place, those who are so minded, can get away with this type of fraud for some time.

What can you do

Firstly, ensure that the person recruiting a candidate for a role in payroll or finance asks suitably probing questions to reveal any discrepancies in their career history and technical knowledge and always obtain at least two references for new employees.  Be suspicious of anyone who cannot give a contact for their last employer.

Secondly, payroll should be checked by a second person, not involved in the preparation of the payslips.  This includes checking any changes to employee bank accounts and ensuring that leavers from the previous pay period are not included in the current pay run.  You should also review for any payment amounts which vary considerably from the usual net pay amount.

Make sure you are using passwords on all financial and payroll software and that computers are “locked” when not attended to prevent unauthorised access.

It is essential that card readers and passwords for online banking software are not shared.  This is a direct breach of the agreement you have in place with your bank and can lead to your account being frozen if discovered.

Thirdly, those responsible for the preparation of the payroll should not also be involved in making the bank payments to staff.

These procedures can be tricky to achieve in smaller businesses and one option might be to consider outsourcing payroll to a payroll bureau, particularly one which is authorised by the UK’s payment authority, Pay.UK (the people who run BACS and the Direct Debit scheme), to process employee payments.  Payroll bureaus operate under strict procedures to ensure employee data is secure and payroll is processed accurately and on time; also helping employers to remain compliant with complex HMRC and employment law rules.  Look for a bureau with a good number of staff so you have cover for absence and one recognised by BACS and the CIPP – the Chartered Institute of Payroll Professionals.

And finally

After all frauds are uncovered, the most common words I hear are either “I did not think it could happen to me” or “I thought he/she was so trustworthy”. A few simple steps like those above can make sure it will not happen to you.

 

Partner Elaine Cromwell heads up our business support services department and specialises in outsourcing and advising clients regarding internal controls, processes and systems.

Other posts you might like:

Careers In Focus – Graduate Trainee Malcolm

Our Careers in Focus series continues with Malcolm McCrindle, one of our graduate trainees working in the audit team. As a mature student, Malcolm chose to change his career path and is now working towards becoming a professionally qualified accountant.

read more