Skyytek Consultants - NetSuite, Salesforce, SAP Business ByDesign, ZohoCRM and SugarCRM - Implementation

A bit off topic here - but never-the-less, something we feel we need to address since we are involved in Management Consulting and ERP deployment.

So, we have come across two cases in the last few months involving our customers where CFO's have been linked (and in one case imprisoned) to fraud schemes that are relatively massive in nature considering the customers revenues.

We are not going to mention the customers for obvious reasons; nor the individuals; nor the systems they were using (completely irrelevant).

So what happened?

In both cases they had disturbing common trends.

• Both customers were close to $1 million spread over time.
• Both customers were relatively successful SMB's.
• Both customers engaged us for ERP support.  In other words, we were not dealing at a management level - rather on a more tactical level with their users.
• Both customers involved similar scenarios.  Taking money out of the company basically over a period of time for personal gain.
• In both cases, a huge impact to the bottom line. In one case, almost bankrupt.  Chances of recovery slim.
• In both cases, it was several years before they got caught.
• Both CFO's were considered "friends" of the stakeholders.
• Both CFO's did not perform bank reconciliations on a per month basis.
• Both CFO's were in control of all financial aspects of the companies.
• Neither of the companies were externally audited. 
• Both companies had to consume large amounts of time reporting and dealing with authorities in connection with the fraud.
• Both companies did not recover their lost money.

Who is to blame ?

Of course the person who committed the crime is to blame.  But it is also a "victim" crime whereby the company is severely affected, the employees (and families) and the stakeholders. 

Guess what, the stakeholders are responsible for all aspects of the company.

So tempering the wrong doing of 2 CFO's against the stakeholders.  The stakeholders are by no means blame free.  They have a fudicial duty to ensure that controls are in place to ensure this does not go on and operate their company to their best of their ability. 

In neither case were these controls in place - basically just sloppy policies - laziness- lack of vison (the list is long) on the stakeholders behalf.  In both cases, the CFO was allowed to do what they like. In fact, in both cases they made the ERP purchase decision and were given "admin" rights to the solution.   This gave them the method.  The motives are of course unclear - but financial unjust gain is one of them.

So, as a stakeholder, what can I do?

• Take your system security very seriously.  In the age of the consumer, most companies are so keen to get their ERP systems up and running they do not take the time or even listen to advise from companies like ourselves on the importance of security policies and segregation of duties.
• Ensure the segregation of duties are clearly defined. In other words, ensure that the person who keeps the books, is not the one who pays or the one who reconciles (maybe even out source that function).  It is not that hard to do this.
• Ensure monthly reconciliations.  We could not believe that the stakeholders were not insisting on monthly reconciliations in both cases.  This would have exposed this fraud - but more importantly probably prevented or deterred it.  
• Ensure "dashboards" are set up for stakeholders - that way they can always see the big picture as to what is happening. 
• If you can afford it.  Have an external auditor periodically audit your books.
• Make sure you engage the right company for your deployment.  They will (should) explain all of this.

Conclusion.

Not only CFO's are coming to light in these schemes; but historically book-keepers run rampant in such activity.  Without the necessary controls in place - it a matter of when (not if) it happens.

So stakeholders - can we get more proactive ?  You are after all resonsible for your company - not the CFO you hired.