No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Fraud

Internal Control Checklist: 5 Anti-Fraud Strategies to Deter, Prevent and Detect Fraud

by Erick-Bell
March 10, 2010
in Fraud
Internal Control Checklist: 5 Anti-Fraud Strategies to Deter, Prevent and Detect Fraud

Every company should want to prevent fraud from happening against their organization, and most companies will not readily admit that their organizations may be vulnerable to any significant fraud. The reality is that many individuals can commit fraud against any organization with a clever understanding of the company’s internal controls structure.

Black’s Law Dictionary1 defines fraud as “a false representation of a matter of fact…which deceives and is intended to deceive another”. Fraud can be perpetrated by an individual within an organization or external to the organization. It is generally described in three categories: asset misappropriation, fraudulent accounting and financial reporting, and corruption.

Fraud is a relevant issue worthy of discussion – particularly in today’s economy. As the price of a gallon of gasoline and the adjustable interest rates on certain home mortgages continue to rise, employment stability and incentive compensation payouts continue to decline2. This dichotomy can increase the pressures and incentives for individuals to concoct fraud schemes to perpetrate. These individuals often rationalize their fraudulent actions by supposing that a) the dollar amount is not significant enough to the company for management to care; b) their current salary is below market and they have “earned” this payoff; c) management is already considering layoffs and the severance packages will likely not cover their immediate expenses; and d) they’re too clever to get caught. With the appropriate amount of pressure/incentive and rationalization, history has shown that some individuals may turn their attention towards the opportunities that exist within a company’s internal control structure that could allow a fraud to be committed and, in the potential fraudster’s mind, not detected.

These three factors (pressures/incentives, opportunity, and rationalization) are commonly referred to as the fraud triangle3, and when all three of those conditions are present the risk of fraud being perpetrated can increase significantly. Of those three conditions, opportunity is the one condition that can most effectively be managed to address fraud risks. This condition is principally managed by designing and implementing a control environment that prevents, detects, and deters most fraudulent behavior, whether conducted by employees, vendors, consultants, or senior management. As part of such a control environment, there are five key anti-fraud controls that companies can implement, and it begins with the tone at the top.

Prevent: A Truly Independent and Empowered Audit Committee

Organizations that have stakeholders and shareholders independent of management (whether publicly traded or privately held) should also have an audit committee that is independent of management4. The audit committee should be knowledgeable of the company’s fraud risk exposure and aware of the steps management is taking to monitor and mitigate those risks. Truly independent audit committees may also maintain healthy levels of skepticism to promote continuous evaluations of the company’s anti-fraud programs and controls. The audit committee has the responsibility to monitor the results of the annual audits and quarterly reviews, and is also responsible for directing the activities of the internal audit department (if one exists within the organization).

According to the Association of Certified Fraud Examiners (ACFE) 2008 Report to the Nation, internal auditors and independent auditors accounted for approximately 29% of the occupational fraud discovered. The independent auditors have auditing standards that they follow to identify material misstatements due to fraud (SAS 99). However, empowered audit committees can play an active role in the direction, monitoring, and evaluation of the internal auditors to ascertain whether the procedures performed are in those areas that carry the most significant risks. Those significant fraud risk assessment.

Prevent: Conduct Detailed Fraud Risk Assessments

PCAOB Standard No. 5, released in 2007, encourages public companies to conduct annual risk assessments and use the results of those assessments to identify the key controls in the significant areas. PCAOB Standard No. 5 also made specific reference to fraud, encouraging management to identify those key controls that are specifically designed to address the risk of fraud.

One purpose of a fraud risk assessment is to help focus management’s attention on the significant fraud risks to be addressed. A fraud risk assessment can be recurring and systematic, and it can involve various levels of management across all functions of the business. An effective fraud risk assessment may include specific fraud schemes that could be perpetrated against the organization, including the people or departments within the organization that could commit each scheme, the likelihood of that scheme occurring against the company in the current year, and the magnitude of impact that the scheme would have on the organization.

The specific fraud schemes identified can be linked to existing internal controls within the organization that can mitigate the fraud risk. The fraud risk assessment can also include a gap analysis that includes a remediation plan for significant fraud risks that could not be linked to existing internal controls. Some companies may have the appropriate resources internally to apply effective interviewing techniques to identify the fraud schemes that could occur across the organization. However, many external provider to assist in conducting the interviews and facilitating the brainstorming sessions so that the meetings are relevant and focused.

One of the advantages of conducting the fraud risk assessment throughout the organization is that it can increase the visibility of management’s attitudes towards managing fraud risks. The increase in management’s communication about fraudulent behavior typically results in greater employee sensitivity to the importance of acting in an appropriate manner (thereby, potentially reducing some of the rationalization that can occur) and the confidence to report suspicious or inappropriate activities.

Deter & Detect: Promote the Tools for Effective Reporting of Suspicious or Inappropriate Activities

The Sarbanes Oxley Act requires audit committees to establish procedures for the receipt, retention, and treatment of employee complaints across a variety of issues, including fraud and misconduct, and a whistleblower hotline is one of the easiest and least expensive of such procedures. According to the 2008 ACFE Report to the Nation, approximately 46% of all fraud was uncovered through tips. However, the existence of a hotline may not be enough.

Management should also consider conducting periodic evaluations to determine whether the whistleblower hotline is effective, including benchmarking analysis against competitors. The company should consider the use of an experienced outside agency managing the whistleblower hotline to enhance the perception of confidentiality. If an outside agency is not used to manage the whistleblower hotline, the whistleblower complaints can be initially reviewed by an ethics committee of the company (or similar internal resource with direct access to the audit committee) and reported timely to individuals with the appropriate group best equipped to handle the matter.

Since fraud can also include bribery and corruption, access to the whistleblower hotline can be made available to vendors and customers as well as employees. For companies doing business globally, it is advisable for the hotline to be available 24 hours a day, 365 days a year and have multi-lingual capabilities. Most importantly, the availability of the hotline should be communicated on a regular basis, at least annually. As part of this communication the company should consider identifying for the employees the types of activities that should be reported.

Prevent & Deter: Anti-Fraud Policy and Appropriate Trainings

It is not uncommon for employees to be confused as to what activities constitute fraud or misconduct against the organization. Some employees may abuse the company’s reimbursement policy of requiring receipts for expenses greater than $20, and other employees may conduct side business during work hours using the organization’s resources. While these activities may not be regularly called out as significant fraud, they nonetheless misuse the company’s assets and resources. Further, it is important to remember that most fraud starts out small. As the fraud scheme continues over a period of time, the typical perpetrator begins to gain confidence in the fraud scheme and may move on to fraud schemes involving larger amounts.

The tolerance of these types of behavior within an organization could also send the wrong message about management’s lenience towards employee misconduct and fraudulent behavior. This misunderstanding can be addressed by drafting and publishing an anti-fraud policy that clearly defines fraud and misconduct. This definition of fraud can also include specific, relevant examples of behavior that is not acceptable within the organization. Once the anti-fraud policy is published periodic ethics trainings can be held throughout the organization to provide its employees with a forum to discuss the importance of ethical behavior. In addition to defining fraud, this policy can also address how the company intends to respond to fraud and misconduct allegations.

Deter & Detect: Response to Fraud Allegations

Regardless of the size of the fraud allegation or the individual involved, the organization should consider having a documented policy of how fraud allegations will be investigated and resolved. The policy would typically include procedures for documentation preservation and evidence gathering. The policy can address which individuals or departments should be responsible, accountable, consulted, and informed depending on the nature of the allegation. Similar to fraud risk assessments, there are many companies that may have certified fraud examiners, attorneys, and certified public accountants on the payroll who may be able to conduct an effective internal investigation. However, if the amounts involved are potentially material to the financial statements or might involve members of senior management, leading practices would suggest that in many cases the investigation be conducted by independent attorneys and other third-party specialists. In the event that the fraud allegation subsequently gains the interest of the Securities and Exchange Commission or Department of Justice, adherence to this documented policy could be especially helpful.

Unfortunately, fraud is inevitable in many organizations. Internal controls can deteriorate over time, either because of technological advances or human intervention (management override or collusion). The successful implementation of these five anti-fraud controls is not a guarantee that fraud will not occur. Nonetheless, these additions to an organization’s control environment can play a significant role in deterring individuals from perpetrating fraud because they often send the message that senior management is committed to preventing and detecting fraud committed against the organization.

____________________

1 – Source: Black’s Law Dictionary, 6th edition, 1990
2 – Source: Investment News, “Firms Hit Executives in Wallet,” April 21, 2008
3 – Source: Occupational Fraud Abuse, by Joseph T. Wells, 1997
4 – The Securities and Exchange Commission already requires companies, including small business issuers, whose securities are quoted on Nasdaq, or listed on the American Stock Exchange or New York Stock Exchange, disclose whether the audit committee members are independent.

 


Tags: Internal Controls
Previous Post

Examining Systems Output Controls

Next Post

Disgorgement: The Devil You Don’t Know

Erick-Bell

Erick-Bell

Erick O. Bell, CPA, CFF, CFE, is a senior manager in the Forensic & Dispute Services practice of Deloitte Financial Advisory Services LLP in San Francisco. Erick focuses on corporate investigations, anti-fraud consulting, and litigation and dispute support. He has delivered various trainings on fraud awareness, fraud risk assessments, and forensic interviewing techniques; and is currently an adjunct faculty member at the University of San Francisco. Erick Bell can be contacted by email at erbell@deloitte.com or by phone at 415-783-6694

Related Posts

joining forces

Why ESG Programs Should Make Internal Audit an Ally

by Kapish Vanvaria
November 30, 2022

Recent research shows internal audit functions are rarely involved in setting strategy for ESG or even in reviewing how goals...

Compliance and International Arbitration: Once Separate, Now Becoming Inextricably Linked

Compliance and International Arbitration: Once Separate, Now Becoming Inextricably Linked

by Kevin Abikoff, Laura Perkins, Jan Dunin-Wasowicz and Laura Vittet-Adamson
May 11, 2022

National and international arbitration venues and lower courts are now seeing corruption-related pleas, disclosures and settlement agreements introduced as evidence...

Best Guardrail Against Compliance Failures? Better Embedded Controls — Not More Training.

Best Guardrail Against Compliance Failures? Better Embedded Controls — Not More Training.

by Chris Audet
March 30, 2022

Gartner senior research director Chris Audet discusses compliance training’s shortcomings here, suggesting a well-designed framework of embedded controls can better...

cardboard boxes and airplane lifting off with prohibited symbol on gray background

5 Steps to Implement a Sanctions Compliance Program

by Michael Volkov
December 10, 2020

With OFAC’s reach lengthening in the past few years, organizations should play close attention to their sanctions compliance program (SCP)....

Next Post
Disgorgement: The Devil You Don’t Know

Disgorgement: The Devil You Don’t Know

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT