Back to Perspectives
Get a Grip on Operational Fraud Risk
Business fraud is rampant and costing millions of dollars per year. This series of articles is for CEO’s, business owners, internal audit leaders and other stakeholders seeking to understand and limit opportunities for fraud within their organization. This is Part 1 of a 3 part series. An unexpected consequence of economic downturn that started in 2008 was an increase of fraud across a wide variety of industries. As companies turned to layoffs as a way to lower overhead, many organizations unintentionally exposed themselves to potential fraud by laying-off employees who oversaw essential internal controls or served in a system of checks and balances that would have prevented fraud. According to the Association of Certified Fraud Examiners (“ACFE”), the combination of omnipresent economic pressure, and a lack of controls, resulted in historic levels of fraud following the recession. As a result, companies as large as Fortune 500 organizations, and as small as local businesses, have been forced to course correct and get a handle on fraud. The first step toward preventing fraud is gaining a holistic view of the circumstances under which it occurs. The ACFE provided the following touchpoints to establish a baseline understanding of how fraud occurs:
- Organizations lose approximately 5% of revenue due to fraud
- Average fraud duration is 18 months
- 40% of fraud cases were detected via Tip /Hotline
- 75% of fraud cases were committed by employees working in seen departments: - Accounting & Finance - Purchasing - Executive /Upper management - Operations - Customer Service - Sales
How do we fight fraud?Fundamentally, business fraud prevention is a three-step process that combines reviews of operations and internal controls, the acceptance of certain conditions, and the systematic elimination of those risks.
Assessing Fraud RiskThe first step to preventing fraud is identifying opportunities for fraud and assessing the risk. Fraud can appear in unexpected ways. Therefore, a spot check of departments and operations is a necessary step. While following guidelines of where fraud is likely to occur (like those provided by the ACFE above) is a good way to prioritize activities, it should not limit the inquiry. The fraud assessment should be performed by employees independent of the operation or department, ideally by your in-house fraud investigation team, or internal audit department. Furthermore, collaborating with an outside subject matter expert, or Certified Fraud Examiner (“CFE”), can augment your team, providing a critical perspective for identifying fraud and developing internal procedures to eliminate fraud in the future.
Monitoring and ReviewAn evergreen component of fraud prevention is the monitoring and review of internal controls. A sound internal control structure is the first line of defense against fraud (and a vast array of other operational hazards). Performing regularly scheduled testing, and updating controls based on the results of the testing, will create an operational structure actively working to limit opportunities for fraud.
Communication and EvaluationAfter the Assessment, and Monitoring stages, your organization can make final decisions based on the findings. The review function (whether performed by a CFE, internal auditor, or consultant) will present a final report on each stage of the operational review to the Internal Audit Committee, Board, or other decision-making body. The report should identify all gaps, assign risk levels, and propose solutions. With this holistic view of operations, risks, and costs associated with fraud prevention in hand, the decision-making body can make informed decisions on the most efficient ways to shore up defenses and proactively prevent fraud.
Tips on Developing Internal ControlsInternal Controls fall into two general categories: preventative controls and detective controls. The former are systems put in place to limit the possibility of fraud, whereas the latter can be enacted to identify and root out active, or historical, fraudulent activities. Each type of internal control requires specific knowledge of industry standards, business operations, and the culture of the organization. Preventative controls can be the most effective, yet unheralded champions of fraud prevention, as they prevent fraud before it occurs. These can be difficult to “sell” to a governing body, as their upfront cost may not be easily balanced by definable losses saved. Factors to consider when designing preventative controls:
- Business strategy and culture
- Utilization of IT systems
- Length of existing processes
- Consistent process outcomes
- Ability to circumvent internal controls
- Employee empowerment
- Average or expected outcomes
- Types of trends and patterns
- Unusual activity or outliers
- Review information from different directions
- Changes to defined time periods reviewed
- Utilization of IT systems
The Limits of Internal ControlsWhile robust internal controls are the most effective solution to fighting fraud, there simply is no “fool-proof” system. A company must remain vigilant, responsive and adaptable to changing factors outside the limits of internal controls – factors like employee turnover and external economic pressures. Understanding the limits of internal control structures is an important step toward developing a system that accounts for as many variable as possible. Common limits to internal controls include:
- Human judgment
- Management’s ability to override controls
- Maintaining sufficient resources to achieve adequate segregation of duties
- Breakdown of controls
- High management turnover
- Lack of employee training
- Poorly documented policies & procedures
- Internal audit plan not based on risk of operations