This is the second post in a series about fraud at organizations. The first post covered the need for strong corporate governance in managing fraud risk.
Owners and leaders of organizations who want to mitigate fraud risk and quickly identify bad actors within their organization need to think about two crucial dimensions of fraud systems: prevention and detection.
Of course, it is best to prevent fraud. But no organization is immune. When it happens, early detection is crucial to minimize losses if the fraud is ongoing. Having a proper fraud detection system in place can also help organizations to identify errors, waste and inefficiencies, thus increasing profitability or reducing losses.
The first line of defense in minimizing fraud risk is fraud prevention. Prevention is typically the most cost-effective component of a fraud risk management system because it poses barriers to fraud, deters fraud, and can eliminate the need for costly investigations.
Fraud prevention is implemented through preventive controls. These controls may derive from a standards-based information security management system or a framework such as the Internal Control – Integrated Framework by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Such controls function as treatments for identified risks. As with all controls, they must continuously be monitored for optimal effectiveness.
Fraud preventive controls include human resource (HR) procedures (e.g., job applicant background investigations, anti-fraud training, employee evaluation and compensation programs). They could also include IT controls (e.g., limiting access rights based on employee level and/or job requirements) and operational controls (e.g., segregation of duties, authority limits, and transaction level procedures).
To be successful, a fraud prevention program will be carefully documented, integrated into the organization’s fraud management effort, and continuously monitored and improved. Employees at all levels of the organization should be aware of the relevant program policies and procedures, and trained as needed.
Fraud can never be fully prevented; therefore, a highly effective fraud detection system must be in place to detect frauds as they occur.
In the same way that the fraud prevention system requires preventive controls, the fraud detection system requires detective controls.
Detective controls are generally matched with identified risks, and they tend to be clandestine. In some cases, it may be more cost effective to implement controls to detect rather than prevent fraud. Further, detective controls can have a preventive effect through deterrence.
One of the most important fraud detection controls is a whistle-blower hotline. Such hotlines are mandated by the Sarbanes–Oxley Act for U.S. listed firms and are generally the most likely means of detecting fraud. The Association of Certified Fraud Examiners (ACFE) 2016 Report to the National on Occupational Fraud and Abuse found that “while tips were the most common detection method regardless of whether a hotline was in place, schemes were detected by tip in 47.3% of cases at organizations that had hotlines, but in only 28.2% of cases at organizations without them.”
To be effective, hotlines should
- be promoted.
- provide for anonymity (or at least confidentiality) of the whistle-blower.
- provide for reporting to senior management or the audit committee.
- work under a single case management system.
- be continually reviewed for effectiveness by an independent evaluator.
Fraud detection is also enhanced by process controls. Such controls are designed to detect both fraud and errors, and include
- independent reviews,
- physical counts and inspections,
- analyses, and
Specific controls should be implemented, along with proactive fraud detection procedures that include data analysis, continuous auditing, and other supporting technologies.
As with all other components of the fraud risk management system, fraud detection processes and techniques must be carefully documented for optimal effectiveness. Documentation should generally exist for all detection controls and processes and should specifically exist for monitoring processes and results; for testing procedures used to assess controls; and for the roles and responsibilities that support fraud detection.
Continuous monitoring of fraud detection is essential. The organization should develop ongoing monitoring and measurements to evaluate, remedy, and improve the organization’s fraud prevention and detection techniques.
All violations of the organization’s code of conduct should be reported and dealt with in a timely manner. Appropriate punishment should be applied, even if senior management is involved.
Fraud versus errors, waste and inefficiency
Efficient fraud detection systems can detect not only fraud but also waste and inefficiency.
In many cases, the fraud detection system simply raises a red flag. It is then necessary to follow up with an investigation to determine the underlying issue. For example, a fraud detection system might flag irregular production orders on the basis of the excess amounts of materials being applied to particular work in process jobs. A follow-up of these irregular orders might then lead to finding either waste or fraud. In cases of waste or inefficiency, firm leaders have an opportunity to boost profitability by fixing these areas.
NOTE: This material is adapted from the following text:
Essentials of Forensic Accounting, Michael A. Crain, William S. Hopwood, Carl Pacini, George R. Young, Copyright 2015. American Institute of Certified Public Accountants, Inc. All rights reserved. Reprinted with permission.