From equipment theft to padded time and, wire transfer fraud to cyberattacks, contractors are vulnerable to a variety of fraud schemes. According to the Association of Certified Fraud Examiners, the median loss due to internal fraud is $200,000 for construction companies — significantly higher than the $125,000 for all industries.
Many factors make businesses in the sector rife for fraud, and owners may not be able to control all of them. For example, no one person can physically monitor multiple job sites, particularly if they're geographically distant. What you can do is establish and enforce antifraud policies and procedures that make theft difficult, if not impossible. Your internal controls should address the following issues.
Some of your business's greatest vulnerabilities lurk in your accounting department. It's important that you segregate duties so that no one employee — no matter how long-serving and trusted — assumes responsibility for everything. Even good people can be tempted to steal when given free rein to your accounts. So, the person who writes checks shouldn't also reconcile bank statements. It's also good policy to require dual signatures on checks and to limit wire transfer authorizations to a select few managers.
If you rely on performance bonds or use a line of credit, annual financial audits should be standard practice. Consider adding monthly financial reviews. They can help uncover anomalies sooner before fraud losses pile up.Schedule time each month to review bank statements, canceled checks, credit card statements, and payroll reports. Reconcile billings with general ledgers. Keep an eye out for unusual numbers of customer or vendor adjustments, or extra employees.
Protect your business from unscrupulous vendors (or employees colluding with vendors) by periodically reviewing supplier lists and spot checking their federal Employer Identification Number, physical addresses, phone numbers and websites. If you come across suspicious names, compare their addresses to employee addresses. If they match, a worker could be stealing from you.
To ensure you get what you pay for, request receipts from subcontractors for all materials or equipment delivered to job sites. Confirm quantity and quality or brand directly from the supplier. Conduct onsite inspections to make sure the correct materials and equipment are being used. Also, to mitigate false claims or misrepresentations by subcontractors, include a right-to-audit clause in contracts and exercise that right to request written documents confirming all claims and representations subcontractors promise you.
Perform a Cybersecurity Assessment
Automation, electronic banking and mobile access to systems are now commonplace, making cybersecurity a clear and present danger. Isolating IT vulnerabilities and implementing and maintaining a robust security protocol is no longer optional — it's mandatory.
Identify the critical data — particularly personally identifiable worker and customer financial information — stored on your network. Then, perform an audit of your data controls, including financial procedures, insurance, firewalls, antivirus software and backup procedures to confirm they're effective at protecting information. You might, for instance, perform daily backups of critical data and regularly test reset processes. If you find weaknesses, remediate them immediately.
In addition, carefully vet subcontractors and suppliers before granting them access to any of your systems. Keep in mind: Retail giant Target's infamous 2013 data breach was perpetrated by tricking an HVAC contractor to download malware.
Use Other Tools
Fraud rarely occurs in a vacuum. In many cases, the thief's coworkers or an outside party have some information — even if it's only a suspicion. To encourage tips, make a confidential hotline or web portal available to employees, vendors and customers. Publicize the hotline and make sure you follow up on tips you receive. Communicate outcomes such as termination or prosecution to send the message that you take fraud seriously.
Background checks can help you head off problems before they start. Conduct them on every new employee, subcontractor and supplier. For subs and vendors, include a review of financial statements, credit history and solvency. Although it's best to use a licensed investigator, you can start informally with an online search. Look for red flags such as tax liens, lawsuits, legal judgments and violations. Another red flag is subsidiary companies that mask the identity of their principals.
Wire transfers presents another huge risk for fraud. Fraudsters use phishing and social engineering to convince employees to send funds on behalf of the President, CFO or important customers.
Another common wire fraud is hacking legitimate vendor invoices. A hacker can infiltrate your vendor’s email or an employee’s email to alter the wire transfer payment instructions on vendor invoices. The invoice is legitimately for goods and services purchased, but the payment instructions will send the funds to an account controlled by the hacker instead of the vendor.
To help mitigate risk, establish dual control if placing wire transfers or automated clearing house transactions that require an employee to initiate the transaction and another employee to verify the transaction prior to sending. Establish a separate machine to transmit that is not connected or used for email, or be sure to use a secure machine which is monitored and does not store passcodes. Let the bank know your company’s routine and other transactions that are to be expected. Use distinct passwords that you do not use on other accounts and do not share passwords. Beware of social engineering and notify the bank, insurance company, and law enforcement if compromised.
Fraud can happen when contractors aren't paying attention to the many theft opportunities the average construction business offers dishonest workers and others. VonLehman’s team of fraud prevention specialists can help you establish strong internal controls that address your company's specific risks. For questions and guidance related to fraud prevention, contact Larry Brown at firstname.lastname@example.org or 800.887.0437.