Fraud Prevention Checklist

Map every finance role against the four incompatible functions: authorization, custody, recordkeeping, and reconciliation. The same person should not initiate a wire, post the GL entry, and reconcile the bank account. In QBO and Xero, use the user-permission report as the starting point — most SMBs find at least one finance user with full admin rights that should not have them.

Walk the matrix line by line with the controller. Common conflicts: AP clerk who also approves vendor master changes (fictitious-vendor risk), bookkeeper who posts journal entries and signs the bank rec (cover-up risk), payroll specialist who can add a new employee and release the direct-deposit file (ghost-employee risk).

For each conflict flagged, either reassign the duty to a second person or layer a compensating control (e.g., partner review of all vendor master changes when the AP clerk is the only approver). Document the rationale — auditors will ask why a residual conflict remains.

Confirm engagement type with the partner — compilation, review under SSARS 21, or full audit. Lender covenants and franchisor agreements often dictate the level. Send the engagement letter and PBC list at least 60 days before fieldwork to avoid a fee overrun.

Surprise counts of petty cash, register tills, and lockbox deposits twice a year. Send AICPA-standard bank confirmations directly to the bank — never through the bookkeeper. Skimming and lapping schemes survive specifically because reconciliations are routine and predictable.

Cover the three branches of the ACFE Occupational Fraud Tree — corruption, asset misappropriation, financial-statement fraud — with concrete examples drawn from the latest Report to the Nations. Walk through the local case studies (expense-report padding, billing schemes, payroll ghost employees) so signs are recognizable.

Tips remain the number-one source of fraud detection per ACFE — over 40% of cases. Use a third-party service (NAVEX EthicsPoint, Lighthouse, Syntrio) so reports do not route through the controller or HR director who may be implicated. Post the hotline number in break rooms and on the intranet.

Run criminal, credit, and prior-employment verification on anyone with vendor-master, payroll, or treasury access. FCRA disclosure and consent are required before pulling reports. State-specific limits apply in California, New York, and Massachusetts on credit-check use.

Positive pay matches every cleared check against the issued-check file before the bank honors it; ACH debit blocks reject any debit not on a pre-approved originator list. Together they shut down the two most common SMB fraud vectors. Most banks charge $30-$75/month — far cheaper than a single forged check.

Run quarterly tests against the vendor master and payroll register: duplicate bank accounts across vendors, vendor addresses matching employee addresses, payroll direct-deposit accounts shared across multiple employees, vendors with PO boxes only, round-dollar invoice amounts above the approval threshold. Tools like AuditBoard, MindBridge, or even Excel with Power Query handle this.

Spell out the escalation tree (who hears about a tip first, when the audit committee is briefed, when outside counsel is engaged), evidence-preservation protocol, communication freeze with the suspected employee, and disciplinary range. The plan should name a primary and backup responder so it works when the controller is the implicated party.

Walk leadership through a realistic scenario — anonymous tip alleging the AP manager is paying a fictitious vendor — and time how long each step takes. Common gaps surface here: nobody knows where the bank-confirmation log lives, the audit committee chair is unreachable, outside counsel has not been pre-engaged.

For each gap surfaced in the tabletop, assign an owner and a due date. Update the WISP, the response policy, and the call-tree contact sheet. Re-run the affected portion of the tabletop within 60 days to confirm the fix works under pressure.