Deterrence Is Necessary, But Breaches Just a Matter of Time

The HR & Payroll Resource Center is your integrated, comprehensive source for HR and Payroll information that merges news, analysis, and guidance – including custom answers,...

By Michael Baer  

Recent data breaches at federal agencies notwithstanding, employers need to be concerned with internal access to key data that can lead to fraud as well as outside threats, speakers said Feb. 27 at a Washington Metropolitan Area Chapter of the American Payroll Association meeting in Springfield, Va.

Technological advancements have changed how people steal, said Stephanie Salavejus, vice president and chief operating officer of Peninsula Software of Virginia Inc., a payroll software developer in Newport News, Va.

In part because of the technology available and techniques used, the average payroll fraud exists 36 months before discovery, said Frank Gorrell, a Virginia consultant on internal financial controls and fraud.

A 2013 Forbes magazine article said that payroll fraud occurs in 27 percent of all businesses, he said.

The Enemy Within

Inside an organization, a written data security policy should be communicated to all employees. Salavejus' group implemented a strict policy about the usage of personal flash drives or external hard drives and set up workplace monitoring tools to help deter intruders and malicious software applications.

However, an employee angry with the organization who has access to key information still can be very dangerous, said Salavejus, whose company also is known as PenSoft. Employers need to understand the fraud triangle of motive, opportunity and rationalization and be aware of behavioral signs of workers that may undermine such protections, Salavejus and Gorrell said.

Behavioral red flags should be pursued, and there is a correlation to some personal behaviors, such as gambling and other addictions, and the likelihood of workplace fraud or theft, Gorrell said. A Defense Department Inspector General handbook on fraud indicators for contract auditors makes note of such correlations, he said.

According to a 2012 report by the Association of Certified Fraud Examiners, a Texas-based group that is the world's largest anti-fraud organization, the most likely people to commit workplace fraud are nonmanagement employees, followed by those in management and executives and business owners, Gorrell said.

A written data security policy for employees and a system to report fraud should be established.  


The average amount defrauded, however, is exponentially higher for executives and owners than for the rank-and-file group, Gorrell said.

Employers should set up a tip line or other methods to allow those who find potentially fraudulent activity to report the problem, Gorrell said. The fraud examiner's study reported that 43 percent of fraud was uncovered through tips from employees, he said.

Although 14 percent of reported fraud incidents were identified through management reviews, 11.7 percent were discovered by internal audit procedures and only 3.5 percent were picked up by external audit--less than the 7.8 percent discovered by accident, Gorrell said.

Barbarians at the Gate

With hundreds of attempts a day to hack into her company's systems, Salavejus said clients need to ask vendors about their security protocols. Corporate identity theft is on the rise and less information is needed to steal a corporate identity than a personal one, she said.

In addition to examining service-provider policies and protections, organizations should:

• be thorough in applying data security protocols to in-house systems;

• limit the type and amount of documents with officers' names and signatures that are posted publicly;

• apply appropriate checks and balances to payroll processes and review frequently;

• date and time-stamp files that need to be reviewed and cleared for payroll processes;

• apply Automated Clearing House filters to clear direct-deposit transactions;

• be aware when labeling files as banking, payroll or ACH, which could attract hackers;

• review the security of accounts with banks;

• use positive pay procedures with the banks when releasing payments by check; and

• know that competitors may be maliciously trying to harm the organization through internal systems.


The Tipping Point

Implementing such security protocols and checklists can cause lags in payroll processing, Salavejus said. In a corporate environment where streamlining and efficiencies are top priorities, such procedures could generate complaints.

The alternative is the exposure of corporate assets to theft and other manipulation, Salavejus said.

More payroll data is being stored by service providers in cloud computer servers, allowing clients to access and modify files without clogging up systems with the terabytes of data. Despite its advantages, Salavejus said she is concerned about cloud-computing data breaches.

Applying the U.S. Marines' motto of deter, detect and defend can be effective, but there are no assurances that payroll fraud and data breaches can be prevented, Salavejus said.

“Fraud is such that we are forced to be more reactive than proactive,” she said.


To contact the reporter on this story: Michael Baer in Washington at

To contact the editor on this story: Michael Trimarchi at