Internal Control Checklist: 5 Anti-Fraud Strategies to Deter, Prevent, and Detect Fraud

[Editor's note: This article was contributed to Corporate Compliance Insights by Mr. Erick O. Bell, Senior Manager at Deloitte Financial Advisory Services LLP. It was originally published on February 16th, 2009. We are publishing it now because the advice is timeless and we want the many subscribers we have gained since then to have a chance to read it. Mr. Bell can be contacted via email at erbell@deloitte.com or by phone at 415-783-6694.]

**********

Every company should want to prevent fraud from happening against their organization, and most companies will not readily admit that their organizations may be vulnerable to any significant fraud. The reality is that many individuals can commit fraud against any organization with a clever understanding of the company’s internal controls structure.

Black’s Law Dictionary1 defines fraud as “a false representation of a matter of fact…which deceives and isInternal Control Checklist | Anti-Fraud Strategies to Deter, Prevent, Detect intended to deceive another”. Fraud can be perpetrated by an individual within an organization or external to the organization. It is generally described in three categories: asset misappropriation, fraudulent accounting and financial reporting, and corruption.

Fraud is a relevant issue worthy of discussion – particularly in today’s economy. As the price of a gallon of gasoline and the adjustable interest rates on certain home mortgages continue to rise, employment stability and incentive compensation payouts continue to decline2. This dichotomy can increase the pressures and incentives for individuals to concoct fraud schemes to perpetrate. These individuals often rationalize their fraudulent actions by supposing that a) the dollar amount is not significant enough to the company for management to care; b) their current salary is below market and they have “earned” this payoff; c) management is already considering layoffs and the severance packages will likely not cover their immediate expenses; and d) they’re too clever to get caught. With the appropriate amount of pressure/incentive and rationalization, history has shown that some individuals may turn their attention towards the opportunities that exist within a company’s internal control structure that could allow a fraud to be committed and, in the potential fraudster’s mind, not detected.

These three factors (pressures/incentives, opportunity, and rationalization) are commonly referred to as the fraud triangle3, and when all three of those conditions are present the risk of fraud being perpetrated can increase significantly. Of those three conditions, opportunity is the one condition that can most effectively be managed to address fraud risks. This condition is principally managed by designing and implementing a control environment that prevents, detects, and deters most fraudulent behavior, whether conducted by employees, vendors, consultants, or senior management. As part of such a control environment, there are five key anti-fraud controls that companies can implement, and it begins with the tone at the top.

PREVENT: A TRULY INDEPENDENT AND EMPOWERED AUDIT COMMITTEE – Organizations that have stakeholders and shareholders independent of management (whether publicly traded or privately held) should also have an audit committee that is independent of management4. The audit committee should be knowledgeable of the company’s fraud risk exposure and aware of the steps management is taking to monitor and mitigate those risks. Truly independent audit committees may also maintain healthy levels of skepticism to promote continuous evaluations of the company’s anti-fraud programs and controls. The audit committee has the responsibility to monitor the results of the annual audits and quarterly reviews, and is also responsible for directing the activities of the internal audit department (if one exists within the organization).

According to the Association of Certified Fraud Examiners (ACFE) 2008 Report to the Nation, internal auditors and independent auditors accounted for approximately 29% of the occupational fraud discovered. The independent auditors have auditing standards that they follow to identify material misstatements due to fraud (SAS 99). However, empowered audit committees can play an active role in the direction, monitoring, and evaluation of the internal auditors to ascertain whether the procedures performed are in those areas that carry the most significant risks. Those significant risk areas can be effectively identified through conducting a fraud risk assessment.

PREVENT: CONDUCT DETAILED FRAUD RISK ASSESSMENTS – PCAOB Standard No. 5, released in 2007, encourages public companies to conduct annual risk assessments and use the results of those assessments to identify the key controls in the significant areas. PCAOB Standard No. 5 also made specific reference to fraud, encouraging management to identify those key controls that are specifically designed to address the risk of fraud.

One purpose of a fraud risk assessment is to help focus management’s attention on the significant fraud risks to be addressed. A fraud risk assessment can be recurring and systematic, and it can involve various levels of management across all functions of the business. An effective fraud risk assessment may include specific fraud schemes that could be perpetrated against the organization, including the people or departments within the organization that could commit each scheme, the likelihood of that scheme occurring against the company in the current year, and the magnitude of impact that the scheme would have on the organization.

The specific fraud schemes identified can be linked to existing internal controls within the organization that can mitigate the fraud risk. The fraud risk assessment can also include a gap analysis that includes a remediation plan for significant fraud risks that could not be linked to existing internal controls. Some companies may have the appropriate resources internally to apply effective interviewing techniques to identify the fraud schemes that could occur across the organization. However, many companies would be well-advised to consider the use of an external provider to assist in conducting the interviews and facilitating the brainstorming sessions so that the meetings are relevant and focused.

One of the advantages of conducting the fraud risk assessment throughout the organization is that it can increase the visibility of management’s attitudes towards managing fraud risks. The increase in management’s communication about fraudulent behavior typically results in greater employee sensitivity to the importance of acting in an appropriate manner (thereby, potentially reducing some of the rationalization that can occur) and the confidence to report suspicious or inappropriate activities.

internal control checklist - anti-fraud strategiesDETER & DETECT: PROMOTE THE TOOLS FOR EFFECTIVE REPORTING OF SUSPICIOUS OR INAPPROPRIATE ACTIVITIES – The Sarbanes Oxley Act requires audit committees to establish procedures for the receipt, retention, and treatment of employee complaints across a variety of issues, including fraud and misconduct, and a whistleblower hotline is one of the easiest and least expensive of such procedures. According to the 2008 ACFE Report to the Nation, approximately 46% of all fraud was uncovered through tips. However, the existence of a hotline may not be enough.

Management should also consider conducting periodic evaluations to determine whether the whistleblower hotline is effective, including benchmarking analysis against competitors. The company should consider the use of an experienced outside agency managing the whistleblower hotline to enhance the perception of confidentiality. If an outside agency is not used to manage the whistleblower hotline, the whistleblower complaints can be initially reviewed by an ethics committee of the company (or similar internal resource with direct access to the audit committee) and reported timely to individuals with the appropriate group best equipped to handle the matter.

Since fraud can also include bribery and corruption, access to the whistleblower hotline can be made available to vendors and customers as well as employees. For companies doing business globally, it is advisable for the hotline to be available 24 hours a day, 365 days a year and have multi-lingual capabilities. Most importantly, the availability of the hotline should be communicated on a regular basis, at least annually. As part of this communication the company should consider identifying for the employees the types of activities that should be reported.

PREVENT & DETER: ANTI-FRAUD POLICY AND APPROPRIATE TRAININGS – It is not uncommon for employees to be confused as to what activities constitute fraud or misconduct against the organization. Some employees may abuse the company’s reimbursement policy of requiring receipts for expenses greater than $20, and other employees may conduct side business during work hours using the organization’s resources. While these activities may not be regularly called out as significant fraud, they nonetheless misuse the company’s assets and resources. Further, it is important to remember that most fraud starts out small. As the fraud scheme continues over a period of time, the typical perpetrator begins to gain confidence in the fraud scheme and may move on to fraud schemes involving larger amounts.

The tolerance of these types of behavior within an organization could also send the wrong message about management’s lenience towards employee misconduct and fraudulent behavior. This misunderstanding can be addressed by drafting and publishing an anti-fraud policy that clearly defines fraud and misconduct. This definition of fraud can also include specific, relevant examples of behavior that is not acceptable within the organization. Once the anti-fraud policy is published, periodic trainings can be held throughout the organization to provide its employees with a forum to discuss the importance of ethical behavior. In addition to defining fraud, this policy can also address how the company intends to respond to fraud and misconduct allegations.

DETER & DETECT: RESPONSE TO FRAUD ALLEGATIONS – Regardless of the size of the fraud allegation or the individual involved, the organization should consider having a documented policy of how fraud allegations will be investigated and resolved. The policy would typically include procedures for documentation preservation and evidence gathering. The policy can address which individuals or departments should be responsible, accountable, consulted, and informed depending on the nature of the allegation. Similar to fraud risk assessments, there are many companies that may have certified fraud examiners, attorneys, and certified public accountants on the payroll who may be able to conduct an effective internal investigation. However, if the amounts involved are potentially material to the financial statements or might involve members of senior management, leading practices would suggest that in many cases the investigation be conducted by independent attorneys and other third-party specialists. In the event that the fraud allegation subsequently gains the interest of the Securities and Exchange Commission or Department of Justice, adherence to this documented policy could be especially helpful.

Unfortunately, fraud is inevitable in many organizations. Internal controls can deteriorate over time, either because of technological advances or human intervention (management override or collusion). The successful implementation of these five anti-fraud controls is not a guarantee that fraud will not occur. Nonetheless, these additions to an organization’s control environment can play a significant role in deterring individuals from perpetrating fraud because they often send the message that senior management is committed to preventing and detecting fraud committed against the organization.

____________________

1Source: Black’s Law Dictionary, 6th edition, 1990
2Source: Investment News, “Firms Hit Executives in Wallet,” April 21, 2008
3Source: Occupational Fraud Abuse, by Joseph T. Wells, 1997
4The Securities and Exchange Commission already requires companies, including small business issuers, whose securities are quoted on Nasdaq, or listed on the American Stock Exchange or New York Stock Exchange, disclose whether the audit committee members are independent.
____________________

Erick O. Bell is a senior manager in the Forensic & Dispute Services practice of Deloitte Financial Advisory Services LLP in San Francisco. Erick focuses on corporate investigations, anti-fraud consulting, and litigation and dispute support. He has delivered various trainings on fraud awareness, fraud risk assessments, and forensic interviewing techniques; and is currently an adjunct faculty member at the University of San Francisco.

This publication contains general information only and Deloitte Financial Advisory Services LLP is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte Financial Advisory Services LLP shall not be responsible for any loss sustained by any person who relies on this publication.

About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.

About the Author

Erick-Bell

Erick O. Bell, CPA, CFF, CFE, is a senior manager in the Forensic & Dispute Services practice of Deloitte Financial Advisory Services LLP in San Francisco. Erick focuses on corporate investigations, anti-fraud consulting, and litigation and dispute support. He has delivered various trainings on fraud awareness, fraud risk assessments, and forensic interviewing techniques; and is currently an adjunct faculty member at the University of San Francisco. Erick Bell can be contacted by email at erbell@deloitte.com or by phone at 415-783-6694.

Erick Bell has contributed the following articles to Corporate Compliance Insights:

5 Comments

  1. Cody
    February 16, 2009

    Curiously, what thoughts do you have around the ERC’s recent survey (http://ethics.org/ethics-today/1008/policy-report.asp) suggesting that only 3% of misconduct witnesses use a hotline (despite the fact that some 83% of the FTEs know a hotline exists)?

    Additionally, what about creating simple (controlled) workflows for a centralized capture and escalation of misconduct reporting? With the majority of reporters using an open door policy, it would seem that a tremendous opportunity exists for the loss of meaningful information (thus decreasing the potential for a company to capture and manage risk before it’s too late) when supervisors have limited or no consistent means for communicating an issue.

    Cody-

  2. Erick O. Bell
    February 21, 2009

    Fraud is much more likely to be detected by tips, than by any other detection methods. Therefore, a whistleblower hotline is an important aspect of a company’s anti-fraud program, but should not be the only means of reporting misconduct. I am not very familar with the survey you referenced, but it is not surprising since a) many companies have not reevaluated the effectiveness of their whistleblower hotline since inception and b) many companies work hard to establish an environment of ethical responsibility that make employees feel comfortable about reporting allegations directly to a supervisor instead of an anonymous hotline.

    It is incumbent upon senior management to set the proper tone around ethical behavior and responsibility through regular and meaningful communications with its managers and employees through newsletters, company-wide and senior executive meetings, annual certifications, and periodic fraud awareness trainings.

    It is also important that senior management treat allegations of misconduct with proper care and diligence. That is why I also stress the importance of having a strong fraud response policy to reference when these allegations arise. Your suggestion about a centralized workflow would be addressed in such a fraud response policy.

  3. Frank Coggins
    March 8, 2010

    The author cites the “American” Certified Fraud Examiners. Actually, it is the “Association of Certified Fraud Examiners.” I am a Certified Fraud Examiner (CFE) myself and happen to live in Austin, Texas where the Association’s headquarter is located. Well done article, thanks.

  4. CCI
    March 10, 2010

    Thank you Frank. The post has been updated to reflect this.

  5. Erick Bell
    March 25, 2010

    Thank you Frank for catching my typo. I am a Certified Fraud Examiner and have been a member of the Association of Certified Fraud Examiners since 2007. Shame on me!