CHAPTER
15

Internal Control and Minimizing Fraud Risk

In This Chapter

• The importance of securing your records
• Maintaining your software
• Backup, backup, backup
• Preventing identity theft
• Securing customer information and checks

Internal control means that, as a business owner, you take precautions to secure both your accounting records and the assets of your business. With reports of identity theft, customer account information theft, and more in the media seemingly daily, it’s smart to take basic precautions to keep your company information safe.

In this chapter, we touch on core security measures such as password protection, data backup, identify theft prevention, and disaster recovery options, among other commonsense measures.

We know. You don’t want yet another password in your life, but the nature of securing financial information requires that you do so. Even if you’re the only person who accesses your accounting records, it’s still important to password protect your books. You never know when or if your home or office might be burglarized. Plus, accounting software can be full of information identity thieves seek, such as employee names, addresses, and Social Security numbers.

As with all aspects of your online life, you should change your accounting software password from time to time, and be sure not to use that same password anywhere else.

ACCOUNTING HACK

Keep a list of all your passwords in a secure location such as a locked desk or safety deposit box, and update the list as needed. Or use an app such as LastPass (lastpass.com) or Dashlane (dashlane.com).

Also be sure to protect your computer with antivirus software such as Norton Internet Security (norton.com/Internet_Security), Trend Micro Internet Security (trendmicro.com), or McAfee (mcafee.com). It’s entirely possible for unprotected computers to be compromised by hackers who might surreptitiously spirit away copies of your accounting records or hijack your computer in exchange for a ransom.

Here are some basic rules for selecting a strong, secure password:

• Make the password at least eight characters long. You don’t need to use complete words, but a memorable phrase works.
• Don’t use only letters. Use a combination of uppercase and lowercase letters, along with numbers and special characters such as $, &, ), or !. Use spaces if you can; if they’re not allowed, substitute an underscore.
• Use abbreviations or alternate spellings, or substitute numerals for words (4 instead of for, for example).
• Avoid personal information others could easily guess or find, such as your name, birth date, or pet’s name.

So using these guidelines, a password like L0v34eveR is stronger than loveforever, for example.

Updating Your Accounting Software

Computer software in general is fraught with complexity, and despite software companies’ best efforts, many times software bugs emerge. These errors in the underlying programming code can cause calculation errors, data integrity issues, or worse.

One of the benefits of cloud-based accounting software is that you don’t have to perform any maintenance. Any bug fixes are applied to the platform automatically.

With desktop software, vendors often push out software updates to fix bugs or add new features, but it’s your responsibility to download and install these updates. If you opt not to update your software, it’s possible that software errors could affect your accounting records.

Sometimes bug fixes or updates cause new problems in your software, but software vendors generally correct such issues very quickly. Still, to protect yourself, always back up your accounting software and company data before you install any new software updates, and particularly before you install a new version of your desktop-based accounting software.

Backing Up Your Accounting Records

Backing up means making a copy of your records as of a given point in time for safekeeping. In effect, backing up makes a snapshot of your accounting records you can restore, or copy from, later if necessary. Ideally, your backup copies shouldn’t reside on your accounting computer itself because bad things can happen to your accounting computer.

It’s best to make backup copies of your accounting data and store them in various other, separate locations, such as these:

USB flash drive or an external hard disk: Either can be connected to your accounting computer so you can save the backup files to the drive and then disconnect when you finish. Be sure to store the drive or disk in another, secure location.

Writeable DVD-R disc: Many newer computers include a drive that can burn backup files to discs. Store these in a secure location away from the computer.

Cloud-based storage service: Even the free basic plans for services such as Microsoft’s OneDrive, Google Drive, or Dropbox provide enough room to upload and store multiple backup files for a typical company.

The penalty for not maintaining proper backups of your accounting software can be harsh. You might have to reconstruct months of activity from paper records you may or may not still have available.

No matter what type of accounting software you use, whether desktop or cloud-based, it’s essential that you create backups of your data.

Backing Up and Restoring Desktop-Based Data

Although the exact procedures vary depending on your software, when backing up your data in desktop-based accounting software, you’ll typically go to the File menu and then look for a command named something along the lines of Backup. Or it might be under a Utilities submenu. Backing up is important enough that most software programs usually make the process easy to find.

Desktop-based accounting software programs often walk you through the steps involved with backing up your data.

You can and should back up your company data manually from time to time. However, you also should set up scheduled backups for your accounting software, so in case you forget to back up your data manually, a backup copy is still made.

Depending on your accounting software, in addition to backing up your data, you also might be able to create an archive copy of your accounting records. An archive lets you open a snapshot of your books so you can run reports and view transactions, but you won’t be able to make any changes to the archive copy. Archive copies are particularly helpful for providing supporting documentation to auditors.

An archive is a read-only backup of your accounting data as of a given point in time.

If your accounting software does not include backup capabilities or if you have trouble with the backup procedure, look for the company file or folder on your computer’s hard disk, make a copy of it, and paste the copy in another location, such as those mentioned earlier.

The process for restoring accounting records from a backup is similar to creating the backup file, but in reverse. You choose a command in your software and then choose which backup file to restore from.

Some programs enable you to keep incremental copies of the accounting data over time. You might choose to restore an older file rather than the latest one, for example, if you know last week’s entries introduced some errors and you want to return to two weeks ago, before those errors were introduced.

RED FLAG

Bear in mind that if you get into your backup files and restore your books on your existing computer, you might be overwriting any previous work you did in the software subsequent to the date you created the backup file.

When it comes to backing up your accounting data and documents, your mantra should be trust but verify. Most of these systems generally perform flawlessly, but anything a human creates or maintains has fallibilities. Randomly perform a backup or check online storage sites to confirm that your backup data and copies of documents are appearing where you expect so that you’ll have the information when you need it.

Backing Up Cloud-Based Data

With cloud-based accounting software, you don’t have to back up your data. In theory, that is. However, no human-based system is completely infallible. In recent years, we’ve seen gigantic companies collapse overnight. It’s unlikely that your cloud-based accounting software provider will suddenly fail, but it is a risk to consider.

A much more likely risk is that a hacker will guess or use a technique like social engineering to get your password, get into your account, potentially steal your data, and change your password so you’re cut off from your financial records. Many times a single combination of an email address and password is the only thing standing between a perpetrator absconding with money from your bank account or holding your accounting records ransom.

One way to guard against such intrusions is to implement two-factor security. More and more online service providers allow you to turn on a feature that requires you to enter a confirmation number they text to you when you sign into an online account. This means if someone steals or guesses your online credentials, they’d also need to have your cell phone in their possession. Two-factor security isn’t a perfect solution, but it does make it harder to illegally access your online accounts or services.

DEFINITION

Social engineering takes many forms, but commonly hackers or others intent on ill will pose as someone reputable in order to gather passwords or information they can use to determine passwords or access to protected spaces or data.

Your cloud-based accounting software may not offer a means for you to back up your entire set of books, but sometimes clever workarounds exist. For instance, with QuickBooks Online, you can export all your data to a backup you can then restore to the desktop versions of QuickBooks. Performing this export doesn’t mean you have to cancel your account, but doing so gives you a comprehensive backup copy of all your online accounting records.

In other cases, you might have to piecemeal your backups by exporting reports from the online software. As we discuss in Chapter 7, the General Ledger report provides a comprehensive listing of all your accounting transactions for any period of time you choose. Periodically exporting this report to an Excel spreadsheet gives you an electronic copy you can use if you need to reconstitute your accounting records. You’ll want to do the same thing with customer, vendor, and employee lists so you always have backup copies of the information.

When you use cloud-based accounting software, you give up an element of control you normally have over data that resides in a desktop accounting program. The upside is that the data is automatically backed up for you, and your service provider may be able to restore your books to a certain point upon request. Most cloud-based accounting programs offer little to no functionality with regard to importing transactions, so if something goes awry with your books, you might have to resort to manually rekeying your data. However, by their very nature, cloud-based programs aren’t susceptible to many of the risks desktop accounting programs pose.

Managing Identity Theft Risk

Identity theft is a widespread and insidious risk individuals as well as companies face every day. Data, money, merchandise, and more is potentially exposed or stolen if someone spoofs your identity or gains access to a bank, retailer, or other entity with whom you have an account.

The key to reducing your chances of identify theft is to keep personal information such as Social Security numbers and dates of birth for you and your employees as secure as possible.

Within your accounting software, keep access to employee records on a need-to-know basis. Both cloud-based and desktop accounting software programs allow you to establish roles for users within the software. Thus, if you have salespeople, you might grant them access to inventory, customers, and sales screens, but not access to vendors, writing checks, or the payroll sections of your software. This concept is often referred to as separation of duties.

Securing Customer Information

If your business accepts credit cards, you need to take special precautions to protect the credit card numbers you collect.

Fortunately, modern accounting programs no longer allow you to store credit card numbers within the software itself. Instead, customer credit card numbers are stored in a secure fashion online that integrates with your accounting software. This ensures that if a malicious party does get a copy of your accounting records, they won’t get all your customers’ card numbers.

Therefore, it’s doubly important to secure your accounting records, not only for your own protection, but to protect your customers as well.

Using Magnetic Swipe Card Readers

Many businesses have started using magnetic swipe card readers that attach to smartphones or tablets. You plug the reader into your device, activate the related app that records the transaction, and swipe credit cards on the spot.

Square Reader (squareup.com) is a popular example, and it synchronizes with QuickBooks, Xero, and other popular programs. Intuit QuickBooks offers its own GoPayment Reader, which works in a similar fashion, accepting credit card payments and recording the payments automatically in your books.

These devices offer even solo businesspeople a secure method for accepting credit cards while protecting customer credit card data. The transaction is encrypted, and the numbers aren’t stored in your device nor your accounting software.

Securing Checks

Credit card fraud runs rampant, but check fraud does as well. All the information anyone needs to empty your bank account is printed along the bottom of your checks: your bank’s routing number and your account number.

Always keep blank checks secured in a locked drawer, safe, or other secure location. Even if you closely monitor the sequence of your check numbers, it might take you months or possibly years to notice checks stolen from the bottom of the box.

Most office supply stores sell blank check stock, magnetic ink, and computer software anyone can use to create fake checks. However, check fraud takes many forms, and thieves sometimes steal checks from the mail. The payee and/or the amount of the checks are altered before the checks are cashed. Fortunately, many banks offer a service called Positive Pay that can head off this issue. If you participate in Positive Pay, whenever you issue checks to anyone, you provide a list of the payees and amounts to your bank. Any checks presented for payment on your account that don’t appear on the Positive Pay list are returned.

RED FLAG

When possible, spell out the full name of a vendor or governmental agency when you print or handwrite checks. In particular, if you’re writing a check to pay taxes to the federal government, take the time to write out “Internal Revenue Service” on the check. If your check was somehow stolen, the abbreviation “IRS” could easily be converted to “MRS.” along with any name a thief wishes to use.

If your business is of such a size that you’re not reconciling your bank statement on your own (see Chapter 8), a good safeguard is to have your business’ bank statements mailed to your house or available online so you can view them at any time. Unfortunately, much employee theft is perpetrated by trusted employees who have access to both check writing and bank reconciliations.

As a business owner, you should make a point of always reviewing your bank and credit card statements at least monthly to ensure your accounts haven’t fallen prey to theft or fraud.

Destroying Records

Even the smallest of businesses can generate a mountain of paperwork, some of which can be discarded quickly and some that must be kept for several years or more.

You completely relinquish control over paperwork you put in a trash can, so anything that can be remotely tied back to your business, customers, or employees should go through a shredder, unless it falls under the record retention policies we discuss in Chapter 18.

One of the best investments you can make in your business is a heavy-duty paper shredder that can accommodate 20 pages or more at once. Further, choose a cross-cut shredder that minces paper into tiny pieces, not just long shreds that can be easily taped back together by a thief with time on his or her hands.

Also, be sure to properly destroy electronic records. When it’s time to replace any computers you’ve used in your business, it’s essential that you ensure no data is left on the hard drives. Simply deleting data from your hard drive is insufficient because data you delete still remains on your drive until something else is saved over it. Data is saved on your hard drive randomly, so deleted data could still have a long life.

Reformatting a hard drive resets the drive to its original, blank state. This action can be carried out within the operating system of your computer, but isn’t a foolproof method. Modern data recovery tools can still find data on even reformatted drives. The best software-based solution is to use a tool that wipes your computer’s hard disk, which means the entire disk is overwritten with 0s and 1s that obliterate any previous data.

RED FLAG

Formatting or wiping your hard disk leaves your computer without an operating system, so if you plan on repurposing the computer, you’ll need to reload the operating system and any software you want to use. Many computers either ship with a recovery drive built-in or offer the option to create your own recovery CDs or DVDs for reloading the operating system.

Another method of destroying everything on a hard drive involves using a piece of equipment called a degausser, which magnetically erases all data on a hard drive. You can purchase these for as little as a few dollars to tens of thousands of dollars.

Or to keep it simple, you can just remove the hard drive from your computer and physically destroy it with a sledgehammer or other means.

Disaster Recovery

There’s no limit to the number of ways your business can be affected by a natural or human disaster, so it’s important to have a disaster recovery plan, no matter what size business you have.

Let’s consider a real-world example. An Atlanta-based chocolatier was forced to close down one of its stores due to smoke damage from a fire in an adjacent space. This could have been devastating if the business only had a single location. As you can see, it’s not only your accounting records that can be at risk, but the actual operation of your business as well.

Storing records in the cloud provides an easy way for businesses to protect themselves from disasters, as at least copies of key business documents and records will be available from a new location.

To help prepare your business for a potential disaster, establish on-demand financing such as a working capital line of credit or available room on a credit card should you encounter an unanticipated cash crunch. (This can happen even during normal business operations, much less during a disaster.)

Also, if your business has employees, establish a phone tree for communicating news about the business so no one person is responsible for reaching out to everyone.

If your business needs a physical space, identify potential temporary working quarters you can use should your primary place of business become inaccessible for a period of time.

And as we discuss in Chapter 10, business interruption insurance policies can provide financial protection against events that prevent normal business operations.

Finally, cloud-based accounting are great when disaster strikes because your books won’t be tied to any particular computer. As long as you can get online, you’ll be able to access your books.

The Least You Need to Know

• Use strong passwords to secure access to your accounting records, and create backups you can pull from in the event of a data loss.
• Take commonsense measures to secure your identity, information such as credit cards, and blank checks for your business bank account.
• Magnetic swipe card readers offer a secure way to accept credit cards.
• Shred old paper records, and remove the hard disk before disposing of any computer that held company accounting or other confidential data.
• Even small businesses need a disaster recovery plan.