Ideas & Insights

Get a Grip on Operational Fraud Risk

Steps Your Organization Can Take to Detect and Prevent Fraud

By Rodrigo Macias, CFE, Director, Advisory Services

Business fraud is rampant and costing business millions of dollars per year. This series of articles is for CEO’s, business owners, internal audit leaders and other stakeholders seeking to understand and limit opportunities for fraud within their organization. This is Part 1 of a 3 Part Series.

An unexpected consequence of economic downturn that started in 2008 was an increase of fraud across a wide variety of industries. As companies turned to layoffs as a way to lower overhead, many organizations unintentionally exposed themselves to potential fraud by laying-off employees who oversaw essential internal controls or served in a system of checks and balances that would have prevented fraud. According to the Association of Certified Fraud Examiners (“ACFE”), the combination of omnipresent economic pressure, and a lack of controls, resulted in historic levels of fraud following the recession. As a result, companies as large as Fortune 500 organizations, and as small as local businesses, have been forced to course correct and get a handle on fraud.

The first step toward preventing fraud is gaining a holistic view of the circumstances under which it occurs. The ACFE provided the following touchpoints to establish a baseline understanding of how fraud occurs:

  • Organizations lose approximately 5% of revenue due to fraud
  • Average fraud duration is 18 months
  • 40% of fraud cases were detected via Tip /Hotline
  • 75% of fraud cases were committed by employees working in seen departments:
    – Accounting & Finance
    – Purchasing
    – Executive /Upper management
    – Operations
    – Customer Service
    – Sales

How do we fight fraud?

Fundamentally, business fraud prevention is a three-step process that combines reviews of operations and internal controls, the acceptance of certain conditions, and the systematic elimination of those risks.

Assessing Fraud Risk

The first step to preventing fraud is identifying opportunities for fraud and assessing the risk. Fraud can appear in unexpected ways. Therefore, a spot check of departments and operations is a necessary step. While following guidelines of where fraud is likely to occur (like those provided by the ACFE above) is a good way to prioritize activities, it should not limit the inquiry. The fraud assessment should be performed by employees independent of the operation or department, ideally by your in-house fraud investigation team, or internal audit department. Furthermore, collaborating with an outside subject matter expert, or Certified Fraud Examiner (“CFE”), can augment your team, providing a critical perspective for identifying fraud and developing internal procedures to eliminate fraud in the future.

Monitoring and Review

An evergreen component of fraud prevention is the monitoring and review of internal controls. A sound internal control structure is the first line of defense against fraud (and a vast array of other operational hazards). Performing regularly scheduled testing, and updating controls based on the results of the testing, will create an operational structure actively working to limit opportunities for fraud.

Communication and Evaluation

After the Assessment, and Monitoring stages, your organization can make final decisions based on the findings. The review function (whether performed by a CFE, internal auditor, or consultant) will present a final report on each stage of the operational review to the Internal Audit Committee, Board, or other decision-making body. The report should identify all gaps, assign risk levels, and propose solutions.

With this holistic view of operations, risks, and costs associated with fraud prevention in hand, the decision-making body can make informed decisions on the most efficient ways to shore up defenses and proactively prevent fraud.

Tips on Developing Internal Controls

Internal Controls fall into two general categories: preventative controls and detective controls. The former are systems put in place to limit the possibility of fraud, whereas the latter can be enacted to identify and root out active, or historical, fraudulent activities. Each type of internal control requires specific knowledge of industry standards, business operations, and the culture of the organization.

Preventative controls can be the most effective, yet unheralded champions of fraud prevention, as they prevent fraud before it occurs. These can be difficult to “sell” to a governing body, as their upfront cost may not be easily balanced by definable losses saved.

Factors to consider when designing preventative controls:

  • Business strategy and culture
  • Utilization of IT systems
  • Length of existing processes
  • Consistent process outcomes
  • Ability to circumvent internal controls
  • Employee empowerment

Detective controls are an opportunity to identify and root out on-going or historical fraud. These controls tend to follow “after the fact” and are an attempt to “right a wrong,” when there has already been potentially significant loss. While it is always preferable to prevent fraud before the act, detective controls can produce valuable insights that can be used to prevent future fraudulent actions.

Factors to consider when designing detective controls:

  • Average or expected outcomes
  • Types of trends and patterns
  • Unusual activity or outliers
  • Review information from different directions
  • Changes to defined time periods reviewed
  • Utilization of IT systems
The Limits of Internal Controls

While robust internal controls are the most effective solution to fighting fraud, there simply is no “fool-proof” system. A company must remain vigilant, responsive and adaptable to changing factors outside the limits of internal controls – factors like employee turnover and external economic pressures.

Understanding the limits of internal control structures is an important step toward developing a system that accounts for as many variable as possible. Common limits to internal controls include:

  • Human judgment
  • Management’s ability to override controls
  • Maintaining sufficient resources to achieve adequate segregation of duties
  • Breakdown of controls
  • High management turnover
  • Lack of employee training
  • Poorly documented policies & procedures
  • Internal audit plan not based on risk of operations
There is no “solution,” only steps to mitigate or uncover

Fraud is a major issue with which every organization – including public companies, growing small businesses, government institutions, or tribal entities – must actively contend. The economic downturn and the layoffs, downsizing and other negative economic outcomes that followed have created an environment where fraud is rampant, with no cessation in sight. Every organization must take a hard look at its operations, culture and internal controls to assess opportunities for fraudulent activity, and take the steps necessary to remove or limit those opportunities.

Stay tuned for future articles in this series where we will take a close look at what organizations can do to limit fraud.