Practice Management

Fraud - managing your risk

The question every business owner or manager should be asking is - am I doing enough to ensure I don’t become a statistic or victim of theft?  Fraud which is the same as theft (for all intents and purposes) is a serious threat that all firms are faced with.  As such all firms should have a plan in place to:

  • Reduce the risk of fraud happening
  • Detect if it does happen
  • Take action if it does happen

The simple fact is that fraud is “un-fun”, “uninteresting” to read about and an unpreventable risk of doing business.  But “undeniably” you, as a manager, need to take steps to reduce the likelihood of fraud taking place and are able to act when/if it does.

Statistics are nice to know - so here are a few facts. According to the US Chamber of Commerce (

  • They estimate theft by employees costs American Companies $20-$40 Billion a year.
  • They estimate every employed American contributes $400 per year to pay for fraud perpetuated.
  • Employees are 15 times more likely to steal from their employers than non-employees.
  • 75% of employee related crimes go unnoticed (about 70% in South Africa).

These stats are shocking and if you accept the generalisation (which is mostly media hype) that South Africa is a crime riddled banana republic then our comparative stats should be less rosy.  Looking at those stats, two of them should really worry you (as a business owner or manager) - your employees are more than likely to steal from you and 70-75% of them, should they commit fraud, will get away with it.

Lots of firms take great comfort in the fact that they have auditors who will keep them safe from fraud - this comfort is misplaced.  It is not the auditor’s job to detect fraud and even if they do pick up cases of fraud the perpetrator could be sitting on a beach sipping Mai Tai’s by the time they detect it.

Within our legal industry, as per the press and industry talk, the last few months have seen internal fraud amounting to more than R40 million come to light - this is a scary number when you think that the legal industry is relatively small compared to others in South Africa.

So we need a plan to manage the risk of fraud and we specifically need a plan to manage the risk of internal fraud. In starting we need to accept the following:

  1. It is not unpreventable
  2. It is your responsibility
  3. It requires effort
  4. Doing nothing could leave you broke, struck off the roll or worse...

The plan to reduce the risk of fraud starts with having proper processes, systems and good people.  Good internal controls covering these areas are key and include:

  1. Segregation of Duties: Getting different people to perform different parts of a process.  With GhostPractice it’s as simple as one person requesting a payment (fee earner) and another authorising it (Partner) and a third processing it (Bookkeeper).  Even the loading and release of a payment should be split (bookkeeper loads the payment and the partners releases it once he/she has seen the supporting documents which can be scanned and viewed from GhostPractice).

  2. Having proper documents and records: Invoices which are pre-numbered and Payment requisitions which can be traced back to a matter are key prerequisites which are standard in GhostPractice and which  every firm should be using. Your financial reports (available at the click of a button on GhostPractice) should be reviewed for “funnies” all the time.

  3. Independent checks: Reconciling bank account details on the system/physical documents with those created on internet banking should be done regularly.  GhostPractice can give you reports that provide this information.  Reconciling deposits to amounts recorded in your system should be done regularly.

  4. Access Controls: Access to systems and critical functions and documents should be carefully controlled and monitored.  GhostPractice will allow you to only give specific functionality to staff as they need it.  Things like physical receipt books should be checked and kept safe.

  5. Proper Authorisations: Transactions effected should be authorised and monitored - credit notes generated and adjustments done on your system should be reviewed regularly - again, GhostPractice gives you the necessary tools and functions to do this.

Over and above these internal controls you should also pay careful attention to the people you hire - spend extra time making sure you are hiring ethical people and do the necessary checks before you hire them. Once hired, you as a manager/owner should “know” your staff - changes in personal circumstances and behaviour could be the trigger for someone (who for all intents and purposes is a “good person”) to consider defrauding the firm.  Creating an ethical culture is key.  If you create loopholes to account for some receipts and payments, then you are creating opportunities for others to take advantage as well.

The internal controls described above are built into GhostPractice (GP) and should also be built into your system (if you are not using GP).  They might seem a bit intrusive and inefficient but they are there to help you maintain a proper and controlled environment.

Lastly, with regard to risk reduction, you cannot devolve responsibility to others - it’s your job as a manager/owner and you should make it a part of your work activities.

Things one should look out for to determine if fraud is going to be easy to commit at the firm include (this is where you should be taking a long, hard look at the firm):

  • Poor internal controls
  • Lack of Financial Management skills
  • Unmanaged staff (staff left to run the firm on their own)
  • The likelihood of collusion between staff and external parties
  • Unwillingness of staff to share duties or take leave
  • Unusual behaviour of staff
  • Poor documentary support for transactions effected (credit notes and Adjustments)
  • Manipulation of computer records and transactions to balance the books
  • Backlogs and financial data not being up-to-date

The list above is not exhaustive but should give you a good indication if your firm is “ripe for picking”.

Fraud prevention measures will not completely eliminate the risk of fraud and that’s why you need to implement fraud detection measures as well. These should include:

  • Using your financial reports to compare performance year-on-year and month-on-month (GP’s Key Business Indicators does the calculations for you - you just need to go through it and start asking questions). Other reports you can use include:
    • Trial Balance - know all the accounts and understand the changes in values.
    • Age analysis (creditors and debtors  )- know who you owe money to and who owes you money and why it changes month-to-month.
  • Using your bank reconciliation to check unknown transactions.
  • Payments made should be reviewed regularly and reconciled to supporting documents.
  • Deposits made should be properly reconciled- e.g. a R 2 000 shouldn’t be recorded as R 3000 credit and a R 1000 debit.
  • Cash handled by one person from receipt to recording should not be carefully looked at.
  • Circumvention of the internal controls should be looked for investigated.

Again the list above is not exhaustive but should get you thinking about what to lookout for.

Taking action, if fraud occurs, is your area of expertise so we don’t have to go into this but actively trying to prevent it is your duty. Not being a victim of fraud depends on your people, your processes, your systems and YOU.  All three areas need to be good but if you don’t manage your firm to limit the risk of fraud, you will be taken to the cleaners...

If you would like to know more about GhostPractice, reducing the risk of fraud or how GhostPractice is driving change in the legal industry feel free to call me, Kuben Naidoo on 084 586 6789 or email me

Kuben Naidoo

Leave a comment:

Security Picture (click to change)
Word shown in picture:
menu close

Search Articles