Use a multi-pronged approach to protect car dealerships from employee fraud. The best solutions lie in reviewing key controls, employee tasks and access to the dealership management system.
The most important manual control involves good oversight. The dealership’s leadership must have good processes for reviewing expenses. That includes looking at them on a 12-month rolling basis.
Oversight also includes making sure the accounting department maintains monthly reconciliations of cash, parts inventory, vehicle inventory and floor plans.
The office manager or controller must review these reconciliations. Cash reconciliations, for example, should be reviewed by someone who doesn’t also enter invoices or can print checks.
The dealership must have processes in place to ensure transactions are properly reviewed and approved. Segregate tasks so no one person can entirely control any process that involves cash disbursements, receipts, and selling and receiving inventory – particularly parts inventory.
Review and approval of entries and vendor payments, as well as reconciliations (even if prepared by the DMS), are all key manual controls managed by your employees.
The Forgotten Risk
Most DMS dashboards do what they are designed to do upon implementation. Vendors often don’t develop systems with growth and expansion in mind. Specifically, they fail to address what access should be granted to each user so that no one person has the keys to everything.
The usual problem is that over time, users tend to have more access than is needed, as job functions change or user access for a particular role is modified for exceptions. Those changes and exceptions often get carried over without a thought to potential risks.
Where Do You Start?
As Henry Ford famously said, “Nothing is particularly hard if you divide it into small jobs.” The process to optimize user access so that no single employee has more access than he or she needs to perform responsibilities should be done in various steps that involve:
- Understanding your employee’s responsibilities and daily tasks.
- Who has access to the system?
- What tasks can each user perform in the system? Analyze if that access is appropriate.
Bar Access to Former Employees
Have your information technology manager run a report for the DMS and other key systems listing every user and their access. Start with the obvious and easiest: Do you show former employees as active DMS users? The answer most likely is, “Yes.”
Correcting this first step is important because these days much of your customer relationship management system’s information can be pulled on tablets and other devices. Have a process in place to lock out a vehicle salesman who can walk away with a contact list with little effort.
Who Are the 'Superusers'?
After making sure a sound process is in place that denies DMS access to former employees, identify who has administrator or “superuser” access to the system.
It should be few individuals since having administrative rights means these users have access to every part of the system. Typically, it should only be the IT administrator, the chief financial officer, the dealer principal or a designated person, no one else.
Document Employee Access
It’s best to rely on the expertise of your certified public accounting firm to do a comprehensive analysis of DMS user access. Identify if tasks assigned to each user are appropriately segregated. Each employee’s tasks should be clearly documented to identify if there are people performing too many of the key steps in a process.
This process also provides the opportunity to determine if you have enough employees cross-trained in key tasks. Analyze the role of each individual to determine if an employee has been granted access in the DMS system that gives too much user control.
Examples of inappropriate user access include an accounts payable clerk who has access to the ADV menu (to create new vendors), clerks who have the ability to modify a previously posted deal and parts department personnel who can modify customer master information, including the ability to increase credit limits, potentially exposing your dealership to uncollectible receivables.
Your dealership’s management team has its hands full with day-to-day operations, so reviewing whether key controls over key processes are implemented and whether user access to the DMS and other systems is appropriate often fall to the bottom of the to-do list.
However, a periodic review mitigates risks from within.
Juan Pena (pictured above, left) is a director in MBAF’s audit department and Risk Advisory Practice.