Along with small business success come new challenges.
Responsibilities expand beyond what the core team can handle. New employees must be brought on to manage growth.
And at some point, keeping up with increased revenues–and expenses–requires more than one set of eyes on the screen and one pair of hands on the keyboard.
Sharing access to accounting software requires quite a bit of trust. At least it should. Financial data is, by its nature, sensitive data. The ability to execute transactions and edit records represents a lot of power.
The trouble, of course, is it’s a power that can be abused.
In its 2014 annual report, the Association of Certified Fraud Examiners (ACFE) estimated that “the typical organization loses 5% of revenues to fraud.”
For most people, it’s hard to imagine fraud occuring in-house. It can feel like the quintessential “other guy’s problem.” There’s a good reason for that thinking, too. The ACFE found that 92% of fraud perpetrators actually have a clean record–making potential offenders tough to spot–or even suspect.
Fraud does happen, though, and it’s especially costly for small businesses. According to the data, small organizations suffer “disproportionately large losses.”
The difference in fraud outcomes has its roots in diverging approaches to risk management. Larger organizations simply tend to invest more in anti-fraud controls than smaller ones.
These investments in anti-fraud controls pay off. The ACFE concluded that:
Fraud schemes at victim organizations that had implemented common anti-fraud controls were significantly less costly and were detected much more quickly than frauds at organizations lacking these controls.
Too often for small business leaders, though, it’s unclear what anti-fraud controls should be put in place. Or possible anti-fraud measures can seem laughably far-fetched.
Sure, multinational corporations might have entire audit departments, but is that really reasonable for a ten, twenty, or even one hundred person small business? Quarterly reviews by expensive outsourced auditors? Job rotation and mandatory vacation policies? Setting up a tip hotline with rewards for whistleblowers? Sounds nice, but let’s get real.
There is a simpler approach, however, that can dramatically reduce exposure to fraud risk.
Strong financial management security begins by limiting access to only those who truly need it. It’s no different than securing a building. The first thing to do is to close the doors. The next step is to open just the doors of your choosing, to only the people you select.
In contemporary accounting software, this ability to completely control digital system access has a name: field-based security.
As a concept, “field-based” security is really just as straightforward as it sounds. It refers to the specific software capability which allows system administrators to control user access at the software field level.
With field-based security, the create/read/update/delete (CRUD) privileges on every field in the program can be dynamically assigned for each individual user. Essentially, field-based security enables complete control when it comes to who can do what in the software.
While field-based security relies on user authentication (to determine the “who” part of “who can do what”), it doesn’t actually dictate the authentication method. Field-based security can be combined with any authentication scheme, such as username and password, 2-factor authentication, or even biometric scans for progressively more inviolable user verification.
While it’s simple to understand how field-based security works, that simplicity shouldn’t overshadow its value.
Any time you have multiple users, there are going to be situations that require different access levels, depending on who needs to do what in the software. Field-based security provides the power to control this access.
A primary concern of business owners–especially among ones moving to a multi-user environment for the first time–is privacy. It’s natural to want to provide staff with the ability to do what they need, but still limit employees from, say, accessing company revenue information or salary data on co-workers. Field based-security provides management with the ability to balance transparency and privacy to exact specifications.
As important as it is to ensure privacy, it’s even more important to embrace measures that protect the integrity of financial records. One of the most fundamental standards of generally accepted accounting principles (GAAP) is the idea of separation of responsibilities.
Separation of responsibilities calls for organizations to split critical duties that may offer the opportunity for exploitation between multiple employees. Separating responsibilities helps reduce vulnerabilities by structuring roles so it is difficult to individually pull off a scam. Multi-person scams, of course, involve greater risk and complexity for would be offenders, so the difficulty presented by effective separation of responsibilities work as an important anti-fraud deterrent.
Field-based security can also reduce the effort associated with post-fraud forensic accounting and increase the chances of locating the offender simply by limiting the pool of potential suspects. When system access is provided only as required by individual job duties, rather than provided universally to all users, it’s much easier to find responsible parties when fraud, or even unintentional errors, occur.
Fraud attempts come in many different forms. Consider a partial list of common fraud schemes:
Because field-based security is a global program control, it provides a measure of protection against all these various fraud types and many others.
Given the value of field-based security, it might seem logical for it to be standard in pretty much any multi-user accounting packages. That’s not the case though.
Many entry-level packages–which are very often primarily targeted to single-user businesses–will forego adding field-based security for any number of reasons.
Certainly, establishing all the functions for full access control requires additional development and code to maintain. Also, a design imperative for many entry-level accounting programs is to keep the program controls as unintimidating as possible. While field-based security offers much more choice, choice means more decisions to make and more complexity.
Instead of field-based security, many of the introductory-type accounting solutions offer only “application level” security, which controls access by functionality groupings. This approach isn’t without benefits, but it has its limitations. For instance, it’s great to be able to limit sales staff to only customer or billing info, and keep them out of top level financial reporting.
But many of the most important accounting checks and balances occur intra-departmentally. The classic separation of responsibilities example would be prohibiting the employee who authors an AP record from printing the checks, in order to ensure consistent payment review.
The good news is there is no shortage of accounting products with access control at the field-level. The functionality is common in many small business programs that are designed with the intention of multi-user access.
Any program truly designed for the mid-market or enterprise customer will definitely include field-based security. In fact, from that standpoint, it’s not a bad litmus test. Any program marketed around claim to be appropriate for medium sized businesses or enterprises, but which fails to deliver field-level access control has eyes bigger than its stomach and is worth passing over when selecting an adequately secure multi-user accounting platform.
To locate accounting solutions which include field-based security, find out about top software options for your needs with our free, no obligation software matching service.