Recently an office manager for a local veterinary surgeon was sentenced to eight years in prison for embezzlement. She stole more than $200,000 over a four-year period. During that time, she took lavish vacations, remodeled her home, and bought herself expensive gifts. During the same time, the surgeon worked longer and longer hours, struggling to keep his business afloat.

Small businesses lose money due to fraud every day. In fact, the Association of Certified Fraud Examiners reported in 2008 that small businesses (defined as businesses with less than 100 employees) suffered a greater percentage of frauds AND a higher median loss than their larger counterparts. The median fraud loss for small businesses was $200,000, the largest amount for any size company.

Small businesses often lack fraud-consciousness and tend to have weak or nonexistent internal controls. Their owners feel that internal controls are only for big companies with many employees. But, even small businesses have assets that others might try to steal. They are also particularly vulnerable due to their size and the nature of their operations. As a result, internal controls are not only desirable for small businesses, they are essential.

Internal controls are checks and balances that are intended to prevent fraud, limit losses and reduce errors. Here are three internal controls that any small business owner can implement today:

1. First, improve fraud-consciousness. There is no such thing as the perfect, trusted employee. Most frauds are committed by first-time offenders. A lack of internal controls invites frauds to be committed. All it takes is one personal financial emergency or unshareable personal problem, and the trusted employee may step over the line. In the beginning, there is usually an excuse, such as “I’m just borrowing the money and I’ll pay it back.” But once started, frauds are very difficult to stop.
2. Second, remember that cash is king and directly monitor cash activity. Receive the bank statement directly, preferably unopened. Open the statement and look at the activity. Does it make sense? Ask questions about anything that seems odd.
3. Third, personally approve all new vendors. Fraudulent billing was the most common fraud suffered by small businesses. It involves billing the company for nonexistent services or using company funds for personal purchases. Fraudulent billing can be prevented by approving all vendors and monitoring cash payments.

Internal controls will enable better management of operations, greater control over cash flow and reduced risk of loss due to error or fraud. Implement essential internal controls today.

Jeanne H. Yamamura is professor of accounting emerita at the University of Nevada, Reno College of Business.

If you collect confidential data on your customers or clients, an important change in the law will provide you with a mechanism to reduce your liability if the data is lost or stolen.

On the heels of ineffective data breach notification laws, Nevada Senate bill 227, a more proactive approach, offers a safe harbor to businesses that collect personal information if a data breach occurs. Some important definitions apply:

Are you a “data collector?”

A “data collector” is defined in Nevada Revised Statute 603A as “any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information.”

If you collect data, what constitutes “personal information?”

Personal Information is defined as a natural person’s first name or first initial and last name in combination with a (i) social security number (ii) driver’s license number or identification card number, or (iii) account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.

So, if I am a data collector, what do I need to do to get the safe harbor?

Effective January 1, 2010, you will need to encrypt personal information that is either transmitted electronically or contained in a data storage device that has moved beyond the data collector’s control (e.g. on a laptop computer).

There are specific requirements contained in the statute! If you do encrypt the data, you, as a business owner, will avoid liability if that encrypted data is lost or improperly accessed! In addition, it is possible that courts will take the encryption requirement into account in determining what constitutes negligent conduct associated with data breaches.

Companies that follow the statutes may even be eligible for reductions on their insurance.

All of these are good reasons to check out SB 227 in the 2009 session information on the Nevada Legislature website at www.leg.state.nv.us or download the bill now  Senate Bill 227

© 2009 Drinkwater Law Offices