By Randy Barnes, Director, Business Advisory Services
Fraud can cause devastating financial loss and damage to an organization’s reputation. What safeguards can you take before the crime?
The Association of Certified Fraud Examiners’ (ACFE) most recent report confirms once again that while every organization faces various types of risks, they all encounter the risk of “occupational fraud.” The ACFE study estimates that the typical organization loses 5% of revenues a year due to occupational fraud.
What can you do to reduce the chance of fraud in your organization?
Reducing fraud risks starts with assessing fraud risks for your organization. Understand what fraud schemes your organization is vulnerable to and create a plan to mitigate these fraud risks. The ACFE study noted that the presence of internal controls was correlated with lower fraud losses and quicker detection. The following are some controls you should consider.
Segregation of duties: Establishing segregation of duties (SoD) is the gold standard of internal controls. Employees should not be in a position to both perpetrate and conceal errors or fraud in the normal course of their duties. Assigned SoD should prevent one person from having access to both assets and the responsibility to maintain the accountability for those assets. Wherever possible, support SoD by restricting access within software applications to only functions that users require to perform their roles and responsibilities.
Use the concept of SoD to ensure that no one person has control over all parts of a financial transaction. Certain transactions such as purchases and contracts that create an obligation for the organization should be approved according to an authorization policy. Those authorizing obligations should not also be initiating transactions or performing record keeping such as recording transactions and reconciling balance sheet or bank accounts. Those performing record keeping should not be authorizing distribution of funds. If you do not have enough employees in accounting, utilize others as part of your control system.
Require management review: Require management reviews of work performed such as recording of transactions, reconciliations, and preparation of estimates, schedules and reports. Not only does this help prevent or detect fraud it will help prevent or detect errors and improve internal communication.
Discourage related-party transactions: Discover and avoid or discourage related-party transactions. Related parties include other parties with which your organization may deal if that party controls or can significantly influence the management or operating policies of your organization to an extent that your organization might be prevented from fully pursuing its own separate interests. This may include ownership in or borrowing from another entity, real estate sales, etc. Restrict employees that are related to each other from working in the same department or on the same transaction. Also, restrict employees from working simultaneously for a competitor, customer or supplier to avoid conflicts of interests.
Review budget quarterly: To assist in the detection of unauthorized transactions, prepare a budget, have it approved and compare the budget with your actual financial results at least quarterly. It should include an analysis of material variances and management should review of the analysis.
Establish cybersecurity protocols: Cybersecurity is a present and growing threat coming from outside and inside organizations. Create and monitor cybersecurity practices, policies and plans including specific procedures for responding to a cyberattack and business-continuity planning. Test for effectiveness and efficiency of controls and protocols.
Anonymous tip line: The most common fraud detection method in the ACFE study was from tips (39% of cases). Organizations that had reporting hotlines were more likely to detect fraud through tips than those without hotlines (47% versus 28%, respectively). Set up an anonymous way for your employees to alert you of any serious concerns or suspicions related to fraud within your organization. Preferably alerts will go directly to the audit committee chair and a compliance officer. Take these alerts seriously and follow up on them.
Culture of ethics: Live ethics in your corporate culture. A culture of ethics starts at the top and is demonstrated daily. This cannot be emphasized enough as it sets the bar for acceptable behavior in your organization. Don’t expect employees to act differently than how you are willing to act.
Training on internal controls: Ensure employees are aware of and trained on internal controls. Once in place don’t allow override of your internal controls. Overriding existing internal controls contributed to fraud in 20% of cases studied. Also, consider testing the design and effectiveness of anti-fraud controls over higher risk areas. This can be performed by internal audit or by employees in other departments.
Above is not a full list of internal controls to be considered, and risk points among companies vary requiring different mixes of internal controls. Organizations of varied sizes tend to have different fraud risks. Corruption is more prevalent in larger organizations, while check tampering, skimming, payroll, and cash larceny schemes are twice as common in small organizations as in larger organizations.
If your organization would like professional assistance to mitigate risk and deter fraud contact Mike Ford, Co-Founder and President Strategic Consulting Services of Pro Back Office at 858-622-1681 or email mike@probackoffice.com. Our risk mitigation experts are skilled in providing recommendations in establishing internal controls to reduce the chance of fraud in your organization.
Resources:
Association of Certified Fraud Examiners, Report to the Nations on Occupational Fraud and Abuse, 2016 Global Fraud Study. The report contains an analysis of 2,410 cases of occupational fraud that were investigated between January 2014 and October 2015. Of these cases 1,038 (49%) were in the U.S.A.