Welcome back to part 4 of Antidote to the Wire Fraud Epidemic. In this segment, we talk about how you fight this fraud and specifically focus on:
- Entity level controls
- Implement or update an Authority Matrix
- Review and approve non-standard contracts
- Have periodic and company-wide communications
I suggest you watch the video. It’s easier to understand if you are a visual/audio learner. The content below is the same as the video. It’s for those who learn by reading.
To recap, in Antidote to Wire Fraud Epidemic, part 1, we talked about what’s happening and who is it happening to. We talked about how the scam works in part 2 and part 3 is on why the scam is so successful. Now in part 4, how do we fight it?
We have practical suggestions in four areas (entity level, AP, treasury and IT) for you to consider. Fighting fraud is about prevention, sharing information about the scam with your team and how it gets perpetrated. We need your team know that they can be the gateway for the scammers and to implement the suggested internal controls immediately so that we don’t fall victim to this.
Entity level controls are activities that happen throughout your organization from corporate headquarters, to different subsidiaries and to different locations. It’s throughout the organization, not just a single company but the whole organization. A culture that encourages a questioning mindset is really important, especially when it comes to investigating requests from executives that are unusual or unexpected.
We all want to be helpful to everyone in the organization, particularly when it’s a CFO or CEO asking us to do something. We will jump through hoops for them. We just need to make sure that the hoops you are jumping through are for the real CEO and not the fake one.
One of the controls we highly recommend is implementing and updating your authority matrix. An authority matrix sets limits that require multiple levels of approvals, including board of directors for selected transaction types and amounts. An authority matrix is broader than a disbursements approval authority matrix. It outlines who has the authority to enter into transactions on behalf of the company, whether it’s sales transactions, purchases, leases, employment and general agreements.
A disbursement authority matrix shows how many people can sign checks. Who can sign checks? What amounts do you need dual signatures on a check? Who can approve wires? What are the amounts? What about ACHs? That’s very specific. An authority matrix is broader. I show you examples below so that it can help you set up an example that fits your organization.
This is an example of an authority matrix for a large company.
You can see here that we have scrubbed the example to protect the innocent, but this company has done a great job. The table of contents shows the types of transactions and defines them so that anyone in the organization will know what we do when we encounter one of these transactions.
The first part of the authority matrix is the policy, its purpose, scope, and the delegation of authority. If you are a manager, you can approve up to $5,000. If you are a director, you can approve $10,000. If you are a VP, you can approve up to $50,000. If you are the CEO, you can approve up to $100,000. It clearly lays out the delegation. If someone is absent, who has the next level of approval?
This authority matrix also outlines expenses. What qualifies as capital expenditures or purchases? And what expenses go in an expense report? Again, when you see unusual transactions added to expense reports, you can say “It needs a different approval routing. It needs to go through the invoice approval process.”
This authority matrix also addresses inventory purchases. Who can enter into inventory purchases? What volumes can they commit to and how many other levels of approval are needed as the inventory purchases get bigger and for longer term projects.
This authority matrix outlines contracts, non-disclosure agreements, and other contractual documents or powers of attorney and who has the ability to enter into transactions on behalf of the company. It also outlines HR activities meaning, who can give an offer letter, a severance agreement, or leave of absence and terminations. Who can enter into those and sign off on those?
For sales, how much discounts can you give? How large of contracts can a manager enter into versus a VP? In terms of payment, extending payment terms, or changing payment terms, who has the authority to do that?
On investments and dispositions of company assets, who has the authority? If you are selling off certain divisions, certain assets, or you are buying companies, other assets, intangible assets, who can enter into those and at what amounts?
This authority matrix also addresses financing and central activities such as, switching to a different bank. Who can open bank accounts? Who can authorize that? And if we are leasing real estate, who can do that?
You can also include credits and AR adjustments. How much credit do we extend to customers and who needs to prove it when the credit limits have been exceeded? Or when can we issue credit memos? When can we do AR adjustments and write offs? Having that clearly outlined helps everyone do their job
Also include inventory and suppliers. Of course, if you don’t have inventory, this does not applied to you. For inventories, when can we do pricing adjustments? When do we do write offs? When do we reserve inventory? When do we change pricing with suppliers if market conditions change?
There are also treasury activities and financial investments. What do we invest in? Is it AAA grade instruments? What types of investments are we allowed and who needs to approve that?
Finally, the authority matrix can include capital expenditures. If we are building another data center or leasing space, if we are building out additions to the building, who needs to approve that? As you can see, it’s fairly broad and this is comprehensive. If you don’t need a section, you don’t have to use it.
This is an example of what could be included in an authority matrix.
As you can see, there are four sections. There is one for contacts of procurements. If you’re buying something and it’s under 50,000, the controller and VP could sign off on it. But if it is over $50,000, then only the controller, VP, and legal can approve. Again, it outlines the different thresholds. If itis for sales contracts, over or under a certain amount, who can enter into those and what you need to do? For non-disclosure agreements, whether it’s customer opportunities, vendors or suppliers or third party who want to disclose technology or propriety information, who can sign those?
There are also examples of other contractual documents like memo of understandings, letters of intent, term sheets and other agreements. Who can enter into those? Outlining it in an easy to read grid like this example is really helpful for the rest of the organization and they quickly see when they get one of these requests.
The second thing that we suggest is implementing a procedure to require legal review. If your organization is too small to have a fully dedicated in-house general counsel, you should at least have a legal reviewer, someone who you have gone to before as an outside reviewer. At least it is someone that you know has the legal knowledge to do this. The reason why this is so important is because when these fraudulent e-mails requests have come in, they are for non-standard transactions. If there is a non-standard contract that needs money to be sent or if you said “Have you got an approval from Joe Smith?” and it doesn’t show up in the form that you would recognize, then you would know this is a fraudulent request.
The third thing that we recommend is holding periodic and company-wide communication to bring awareness to these types of issues. This way, everyone in the organization knows about it. We encourage communication between departments because we all know that executive assistants are one of the most important people in the organization. They see email traffic and if they see something that looks suspicious or if they know about this type of fraud, they can be on the lookout for this fraud.
To recap, we discussed how you fight fraud and specifically focused on: