1. Change Your Procedures
You can protect your company from breaches by changing your HR policies, outsourcing payroll calculations, training employees in online security matters and using a password-protected system. Conducting regular audits is essential to catch ghost employees, hour padding and people clocking in or out for their friends. It’s important to update your system, install patches and change passwords regularly.
You should implement a policy that recognizes the risks of physical intrusions into your systems. That means making it mandatory for HR staff to log out when leaving their computers or desks. Small offices should be locked if the assigned staff member must be away for an extended period. Switching to a paperless process eliminates paper records that can be stolen or read. It’s also important to start a program of regular training and education on security-related issues.
2. Make Messages Secure
Some companies are required by law to communicate only with secure browsers and systems to protect personal information. It's a good practice for any company because employee information can be used for identity theft and theft of information like debit card numbers used to pay employees.
Your company’s email policies can generate many cyber security risks. If HR employees open any email attachment, they can trigger a virus or malware attack. It’s important to establish an email policy - especially with HR employees. Another useful rule is to require that employees only use company-approved equipment to access confidential records.
3. Requiring Separation of Certain Duties
Most people understand the risks of giving someone power-of-attorney over their financial affairs, but many companies give their employees exactly that inadvertently. Some of the oldest safeguards in the accounting industry are arranging separation of duties, requiring double entries of all transactions and performing regular audits of financial records. It’s important to have different people handle new hire records, time-sheet, check writing and data entry.
Separate duties ensure that one person doesn’t control the operating, record-keeping and check writing duties. In fact, most companies require two or three people to review check disbursements, sign checks and conduct ad hoc audits.
4. Prevent Paycheck Fraud
Printed checks are fast, efficient and usually accurate, but the rule of “garbage in, garbage out” applies. If someone deliberately overpays one or more employees, the theft often goes unnoticed. Employees can also try to print their own checks using a company printer and blank computer checks. A savvy drifter without any local ties could easily cost the company thousands of dollars if he or she gets just a few minutes alone with the computer and printer.
You should develop a plan to protect your check-printing station from unauthorized use or unsupervised check printing. Provide your employees with self-service management of their employee accounts to prevent writing down critical personal information. Make sure that your bank and vendor use the latest check safeguards to prevent the cashing of unauthorized checks.
5. Raising Awareness of Phishing Schemes
Employees who handle payroll-related duties often do this as a sideline to their regular jobs at small companies. Phishing schemes can often look like official correspondence because cyber criminals can generate documents that look like the real thing. These emails are often disguised as communications from a company executive, the IRS or other government agencies.
These phishing emails often contain words that include W-2, back taxes, earnings summary, property seizure and other terms related to confidential personnel matters. It’s easy to mistake these letters for real correspondence, so it’s a good idea to verify email addresses, check to see if there’s a valid return address and contact any executive who requests information.
Best Practices to Prevent Payroll Fraud
Payroll fraud is common, but there are steps that you can take to identify fraud proactively. It usually takes up to 30 months to uncover most payroll-related fraud schemes, and fraud can cost companies hundreds of thousands of dollars.
In addition to some of the schemes mentioned earlier, bookkeepers also need to be aware of false claims for compensations, insurance fraud and benefits schemes. Your HR department should remain vigilant to root out false claims, hacking attempts, phishing expeditions and falsified wages.
Some of the best practices for preventing illegal payroll-related schemes include:
• Require mandatory vacations so that no single employee has exclusive access to company records.
• Make supervisors sign all time sheets.
• Review payroll-related reports regularly.
• Monitor overtime, and require a supervisor’s approval.
• Rotate the jobs of people handling payroll-related duties.
• Review all bank statements and canceled checks.
Cyber Security Starts at the Top
If you want to inspire employees to take security-related matters more seriously, it's important to start at the top of the company hierarchy. Building a culture of transparency and honesty works as a preventative measure so that employees understand that ever minor breaches won't be tolerated. The company must explain its policies clearly, prosecute offenders and create an open-door policy for company whistle-blowers.
About 40 percent of all fraud cases are discovered because of a tip, so small companies should encourage their employees to report any inconsistencies or suspected fraud. Tightening up your security-related policies provides benefits across the board for small companies.