Fraud Prevention Checklist

Map every finance role against the four incompatible functions: authorization, custody, recordkeeping, and reconciliation. The same person should not initiate a wire, post the GL entry, and reconcile the bank account. In QBO and Xero, use the user-permission report as the starting point — most SMBs find at least one finance user with full admin rights that should not have them.

Walk the matrix line by line with the controller. Common conflicts: AP clerk who also approves vendor master changes (fictitious-vendor risk), bookkeeper who posts journal entries and signs the bank rec (cover-up risk), payroll specialist who can add a new employee and release the direct-deposit file (ghost-employee risk).

For each conflict flagged, either reassign the duty to a second person or layer a compensating control (e.g., partner review of all vendor master changes when the AP clerk is the only approver). Document the rationale — auditors will ask why a residual conflict remains.

Configure the bank's treasury portal so wires and ACH batches require an initiator plus a second-person approver before release. Set the dual-control threshold at $0 for wires and at a low dollar amount for ACH (CEO-fraud schemes typically request wires of $25K-$250K).

Confirm engagement type with the partner — compilation, review under SSARS 21, or full audit. Lender covenants and franchisor agreements often dictate the level. Send the engagement letter and PBC list at least 60 days before fieldwork to avoid a fee overrun.

Surprise counts of petty cash, register tills, and lockbox deposits twice a year. Send AICPA-standard bank confirmations directly to the bank — never through the bookkeeper. Skimming and lapping schemes survive specifically because reconciliations are routine and predictable.

Pull the manual JE log from QBO or Sage Intacct. Filter for entries posted near month-end, entries to round-dollar amounts, and entries posted by the same person who approved them. AJEs to retained earnings or to suspense accounts get a 100% review regardless of dollar size.

Cover the three branches of the ACFE Occupational Fraud Tree — corruption, asset misappropriation, financial-statement fraud — with concrete examples drawn from the latest Report to the Nations. Walk through the local case studies (expense-report padding, billing schemes, payroll ghost employees) so signs are recognizable.

Tips remain the number-one source of fraud detection per ACFE — over 40% of cases. Use a third-party service (NAVEX EthicsPoint, Lighthouse, Syntrio) so reports do not route through the controller or HR director who may be implicated. Post the hotline number in break rooms and on the intranet.

Run criminal, credit, and prior-employment verification on anyone with vendor-master, payroll, or treasury access. FCRA disclosure and consent are required before pulling reports. State-specific limits apply in California, New York, and Massachusetts on credit-check use.

Every employee with purchasing, vendor selection, or hiring authority signs a disclosure naming related-party vendors, side businesses, and family employed by suppliers. Cross-check disclosures against the vendor master and the employee address file — matches between vendor and employee addresses are a classic fictitious-vendor signal.

Positive pay matches every cleared check against the issued-check file before the bank honors it; ACH debit blocks reject any debit not on a pre-approved originator list. Together they shut down the two most common SMB fraud vectors. Most banks charge $30-$75/month — far cheaper than a single forged check.

Run quarterly tests against the vendor master and payroll register: duplicate bank accounts across vendors, vendor addresses matching employee addresses, payroll direct-deposit accounts shared across multiple employees, vendors with PO boxes only, round-dollar invoice amounts above the approval threshold. Tools like AuditBoard, MindBridge, or even Excel with Power Query handle this.

Confirm the firm's WISP covers the Safeguards Rule controls: MFA on all accounting and email systems, encrypted laptops, role-based access, quarterly access reviews, and a documented incident-response plan. Phishing and business-email-compromise schemes drive most accounting-firm breaches in the last three years.

Spell out the escalation tree (who hears about a tip first, when the audit committee is briefed, when outside counsel is engaged), evidence-preservation protocol, communication freeze with the suspected employee, and disciplinary range. The plan should name a primary and backup responder so it works when the controller is the implicated party.

Walk leadership through a realistic scenario — anonymous tip alleging the AP manager is paying a fictitious vendor — and time how long each step takes. Common gaps surface here: nobody knows where the bank-confirmation log lives, the audit committee chair is unreachable, outside counsel has not been pre-engaged.

For each gap surfaced in the tabletop, assign an owner and a due date. Update the WISP, the response policy, and the call-tree contact sheet. Re-run the affected portion of the tabletop within 60 days to confirm the fix works under pressure.

The audit-committee chair or managing partner signs the annual fraud risk assessment summarizing residual risks, controls in place, and items deferred to next cycle. The signed document is part of the audit work papers and supports management's representation letter.