Often when people think about fraud, they imagine one major event that strips a company of significant revenue, inventory, or other valuable assets. Perhaps they picture someone stealing a significant sum of cash and then driving into the sunset in their getaway car.
In reality, fraud is more like death by a thousand cuts. A bad actor will test a system in a seemingly small, unnoticeable way. Then they will continue to test that system in greater ways and with increased frequency until someone finally notices something’s up.
By the time fraud is found out, it may either be too late, or the defrauded company will spend significant time, energy, and capital to attempt to retrieve what they have lost.
Internal controls are your tools for preventing business fraud because they strengthen your systems and processes to catch eyebrow-raising activity before it seriously damages your company.
Fraud in Cannabis
The cannabis industry is especially vulnerable to fraud, both on the investor side as well as the plant-touching business side.
One reason for this is the stigma that still surrounds the plant. The federally illegal nature of the industry unfortunately lures bad actors who believe it will be easier for them to get away with fraudulent activity.
In fact, as recently as March, the Securities & Exchange Commission (SEC) charged several executives at the cannabis cultivation and distribution company American Patriot Brands with fraud. They raised more than $30 million from more than 100 investors “through a variety of material misrepresentations and omissions,” including exaggerating past revenues and falsely claiming business operations, according to a press release on the SEC website.
The other reason is that many cannabis companies, especially those in the start-up phase or those going through significant downsizing, operate very lean. One person is often wearing multiple hats, which means there are fewer people to keep vigilant on daily business activities or maybe only one person is responsible for them. In this environment, a cashed check here, a submitted invoice there, or an unexplained inventory discrepancy won’t raise many eyebrows because the focus is spread so thin.
It’s also worth noting how fraud is viewed in the nascent cannabis industry, versus more established industries.
Imagine this scenario: A traditional (non-cannabis) manufacturing company discovers someone wrote themselves bad checks and made away with thousands and thousands of dollars over a period of months. The story makes the news. The company identifies the person who has been stealing from them, and they share with reporters how surprised they were because this was a longtime employee who was trusted. The one to blame is the person who harmed the company, and the company itself is a victim.
Now imagine if this exact same situation happened to a cannabis dispensary, for example. This story, too, draws media attention. But how easy will it be for the public to blame the dispensary for not having proper internal controls and procedures against this? How could they not be more careful? Are they just plain irresponsible with the daily handling of their finances? Is their bank (if they have one) going to lend them support to help them get through this difficult time?
Herein lies the stigma of cannabis and also the broader problem the industry faces. One major instance of fraud can shed a negative light not just on the cannabis company in question—but the entire industry that is working tirelessly to legitimize the business of cannabis and operate in a responsible and compliant manner. This is why it is so important to fortify your business with internal controls.
Types of Internal Controls
Setting up internal controls is like setting up a checks and balances system for important operations in your company—from doing due diligence to handling inventory and finances and analyzing labor hours. Internal controls make sure there are enough people reviewing processes and documentation so that no one person has the power to commit major fraud within a company.
If a company is in its start-up phase, it is much easier to establish a solid plan of internal controls from the get-go.
On the other hand, if a company is more established, it can be more difficult to break old habits. However, a mature company will certainly find success with internal controls with a thorough assessment of previous practices and a commitment to improve. This can be done with a Risk Control Matrix (RCM), which draws out current processes and makes recommendations for improvement.
These are just a few examples of internal controls:
- Create a chain of command for check-writing, requiring two signatures for payments made over a certain dollar amount. For payments under that set dollar amount, establish a separate review process with people who are not issuing payments.
- Establish biometrics for employee timecards. Having someone check in at 8 a.m. when they habitually arrive 10 minutes later adds up to significant productivity loss over time. Facial recognition or thumb print scanners are ideal. Key fobs are essentially the same thing as a timecard and can get passed to another employee to clock in for the current employee. If biometric scanning isn’t available and a key fob is utilized, position a camera near employee check ins to make sure people are only clocking themselves in.
- Regularly reconcile accounts such as balancing cash registers, compare bank statements to internal records, and analyze the accounts receivables aging analysis to get a better understanding of outstanding payments and how long they are past due.
- Establish multiple points of verification for items like invoices, packing slips, and purchase orders.
- Have someone who is not issuing payments regularly review vendors, checking addresses and phone numbers to ensure they match the business entity that’s stated. (Automated solutions can also help you do this.)
- Do physical inventory counts rather than solely relying on RFID tag scans to ensure your recorded inventory matches the inventory you actually have on hand.
- Engage highly involved investors to participate in regular board meetings to ask questions and review business and financial decisions.
- Establish a due-diligence checklist for new investments, partnerships, mergers, or acquisitions.
Establishing and Adjusting Internal Controls
Once you establish your internal controls, those controls should be regularly tested on a quarterly, semi-annual or annual basis to make sure they’re sound. This can be done with an internal control audit prepared by your accounting firm.
Additionally, an internal control plan is not a set-it-and-forget-it set of procedures. If there are changes to your company, such as hiring a new chief financial officer (CFO), adding multiple new team members, a business expansion, a merger & acquisition, or any other significant events taking place—internal controls should be evaluated and potentially readjusted at that time.
To make sure everyone is on the same page, an internal controls flow chart should be created and filed somewhere easily accessible so that people can physically see how each process is handled as it pertains to their work. This helps everyone in the company better understand the process and adhere to it better than if it were only verbally shared with them. Also, as processes evolve and change, this allows team members to take “ownership” of the flowchart.
Accounting firms can help businesses establish internal controls, test internal controls, make readjustments when necessary and create proper flowcharts.
It would be naïve to say that a company can perfectly guard against any fraud attempt; however, with the proper internal controls in place, most fraud can be prevented or mitigated by being spotted early within your company.
Ryan Guedel, CPA, is a partner of Chicago-based accounting firm CJBS and a leader of the CJBS Cannabis Practice.