Safeguarding Your Operations

Fraud prevention and internal controls

Published in the September 2013 Issue Published online: Sep 02, 2013 Daniel Packard, Cooper Norman certified fraud exam
Viewed 3355 time(s)

Occupational fraud continues to be a threat to small business. As regional producers, we often forego critical safeguards necessary in preventing fraud due to perceived costs and unnecessary redundancies. This deficiency results in an increased vulnerability to fraud, and accounts for larger median losses than larger operating counterparts. Recent surveys estimate that the typical organization loses 5 percent of its revenues to fraud each year. Applied to the estimated 2011 Gross World Product, this figure translates to a potential projected global fraud loss of more than $3.5 trillion. These surveys estimate the median loss caused by the occupational fraud to be $140,000. More than one-fifth of cases caused losses of at least $1 million.

My experience as a fraud examiner has afforded me many unique insights. I have met several business owners, observed many business structures and evaluated just about every method of embezzlement and theft. One commonality among all these examinations is the reason it happened-failure to implement adequate internal controls.

Many business owners feel they've safeguarded their business by surrounding themselves with people they know and trust. Unfortunately, these relationships built on familiarity and trust often create an ideal environment for fraud to occur. It sedates the business owner, making him or her numb to the warning signs of fraud. No amount of familiarity can completely acquaint us with the reasons a person commits fraud. The fraud triangle is a model for explaining the factors that cause someone to commit occupational fraud. It consists of three components which, together, lead to fraudulent behavior:

1) Perceived unshareable financial need;

2) Perceived opportunity;

3) Rationalization.

The financial needs and rationalization an employee may have to commit fraud cannot be adequately diagnosed in a conventional business environment. However, the opportunity he or she may have to commit fraud is within the control of the business owner. It is the responsibility of the business owner to put roadblocks in place. According to recent surveys, the presence of anti-fraud controls is notably correlated with significant decreases in the cost and duration of occupational fraud schemes. Victim organizations that had implemented any of the common anti-fraud controls experienced considerably lower losses and time-to-detection than organizations lacking these controls. Many of these controls do not have substantial costs associated with them and can be easily implemented in any business structure.

The following are useful controls that should be considered in your organization:

Separation of Duties. Separation of duty, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users. This principle is demonstrated in the traditional example of requiring two signatures on a check. An organization should maintain appropriate separation of duties between accounting functions and provide necessary review and oversight to these functions.

When separation of duties is performed appropriately, the following functions will occur separately:

 Authorization function (e.g. sign checks);

 Recording function and preparing source documents (e.g. printing checks);

 Custody of asset whether directly or indirectly (e.g. receiving payments in the mail, or mailing payments to vendors);

 Reconciliation or audit (e.g. monthly bank reconciliations).

Bank Reconciliations and Control of Bank Statements. Monthly bank reconciliations should be performed on all cash accounts by someone who does not make bank deposits or initiate cash disbursements. This reconciliation should be performed before the end of the month in which the bank statement is received. All bank reconciliation should also be reviewed by a member of management to ensure that correct balances were used and that there are no unusual reconciling items. A member of management should also open the monthly bank statement and review it for any unusual items (e.g. checks with one signature) prior to giving the statement to the individual performing the reconciliation.

Petty Cash Reconciliation. Your organization should keep all petty cash in a secure lock box. A simple log should be maintained with a record of when petty cash is disbursed, who petty cash was distributed to and what the petty cash was used for. The log should also show when petty cash is added to the lock box. Reconciliation should be performed between checks on the bank statement made out to petty cash and deposits recorded on the petty cash log.

Physical Controls. Measures to control physical access include the obvious practice of locking doors, desks and file cabinets so that unauthorized personnel cannot gain access. Other measures are becoming increasing important (and affordable). These measures include employee IDs and passwords, computerized security systems and electronic surveillance systems. Measures like electronic surveillance systems also lend to an operation's productivity.

Physical controls will help to reduce the risk of fraud in the following ways:

 Many frauds require that the perpetrator come into physical contact with either the asset being misappropriated, or the related asset records, in order to conceal the fraud.

 Reducing physical access reduces opportunity.

 Physical access controls are often the most visible to potential perpetrators. Strong controls in this area send a powerful deterrent message. Conversely, loose physical controls invite challenge.

 Access controls that do not prevent fraud often assist in the fraud investigation process (for example, determining what actually happened and narrowing down suspects).

Administrative Rights, Passwords, and Closing Dates in Accounting Software. Management's login should be the only login in your accounting system that has been given all administrative rights. Usernames and passwords should not be shared. Closing dates should also be used to ensure that data from prior periods cannot be modified once it has been finalized. All members of management should have equal rights and authority in the accounting software.

Be Sensitive to "Red-Flag" Behavior. Fraudulent behavior often manifests itself through an employee's behavior. The following have been identified as potential signs of fraudulent behavior:

 Does the employee never call in sick regardless of how physically ill they appear, or has the employee stopped taking full weeks of vacation in which someone else performs their duties? A reluctance to take regular holidays may be due to the need to conceal an on-going fraud. Fraud can often come to light during a sudden and unexpected absence of the person perpetrating it. Some organizations have a rule that staff must take several consecutive days' of vacation each year-both for the physical well-being of the employee and to reduce the opportunity for long-term fraud to go undetected. During the employee's absence, another employee should be asked to perform the job functions of the vacationing employee.

 Is the employee working odd hours when no one else is there? Regular late working by individual employees should always be investigated, as it may result from a need to cover up fraudulent activities in absence of other members or staff. A trusted employee can be in a powerful position, especially if management has become relaxed about monitoring their activities.

 Has an employee's lifestyle suddenly greatly improved with no explanation? An apparent discrepancy between an employee's earnings and their lifestyle is a common indicator of fraud.

A Fraud Response Plan. A fraud response plan should include the general company policy on fraud and should also set out the action to be taken when fraud is suspected. Having a detailed fraud response plan in place helps ensure that everyone is clear about the action that needs to be taken if and when fraud is identified or suspected. Thinking about the issues in advance helps management ensure all the relevant aspects are covered. It is difficult to react promptly without a plan to follow. A detailed document setting out the policies and procedures to be followed in the case of fraud has the following benefits:

 It demonstrates that management is in control of the situation;

 It can help to minimize the risk of further loss once fraud is detected;

 It should improve the chance of recovering the loss already incurred, or maximize the amount recoverable;

 It provides a clear statement to employees that management will not condone fraud and will take appropriate action against anyone found to be involved in fraudulent activity.

The Control Environment. A functional control environment is best maintained by management. Management can encourage an anti-fraud culture emphasizing corporate responsibility. Management should define fraud so that employees are aware of what actions constitute fraud and/or misconduct and what consequences exist for engaging in fraudulent behavior. They should also ensure that all employees know the procedures in the event of a fraud being discovered or suspected, including how to report fraud. Occupational fraud is more likely to be detected by a tip than by any other method. The majority of tips reporting fraud come from employees of the victim organization.

Identifying the most common sources of tips is essential to crafting a system that encourages individuals to step forward with information. While just over half of all tips originated from employees, research reveals that several other parties (customers, vendors, etc.) tip off organizations to a substantial number of frauds. Creating an environment where the reporting of fraudulent behavior is encouraged will be of great benefit to your organization.

Implement Sporadic Fraud Prevention Check-Ups. It is always cheaper to prevent fraud than to detect it. Since fraud can be a catastrophic risk, implementing sporadic fraud prevention check-ups can save your company from disaster. Research suggests that the strongest deterrent to fraud is perceived invigilation. If your employees think someone is looking, they will likely not risk being discovered. The Fraud Prevention Check-Up can pinpoint weaknesses in your organization and help you mitigate the risk. A certified fraud examiner will be a necessary element of this prevention measure.

Fraud is an expensive drain on a company's financial resources. In today's globally competitive environment, no one can afford to throw away the 5 percent of revenues that represents the largely hidden cost of fraud. If your organization is not identifying and tackling its fraud costs, it is vulnerable to competitors who lower their costs by doing so. Strong fraud prevention processes help increase the confidence investors, regulators, audit committee members and the general public have in the integrity of your company's financial reports.