Have you ever thought, can fraud happen to me or if it does, what should I do? You’re not alone. Fraud is prevalent among all types of organizations. Fraud is a world-wide problem, and It can also be the downfall of an entire organization. Fraudulent behavior by senior management has negatively impacted brands, images, and reputations. Don’t let that happen to you. There are controls and governance policies organizations can implement to mitigate the likelihood of fraud. Of course every organization varies in size, product offering, industry, company culture, etc, but there are 5 basic principles any organization can follow to mitigate fraud.
PRINCIPLE 1: FRAUD RISK MANAGEMENT PROGRAM
Written Policy
A fraud risk management program should be in place, including a written policy (or policies) to understand the expectations of senior management and the Board of Directors. This policy or policies are part of your business’s corporate governance. Corporate governance can be defined as “the system by which companies are directed and controlled” and “The process by which corporations are made responsive to the rights and wishes of stakeholders.” A written policy also provides a clear definition of what is classified as acceptable and unacceptable behavior.
Fraud Communication
An ongoing awareness program is essential to deliver and communicate the fraud risk management program throughout your organization. An awareness program will convey fraud risk management expectations, and is one key preventive measure to deter fraud from ever occurring.
Roles and Responsibilities
Fraud risk management responsibility should be taken on by every employee, vendor, and stakeholder. The role and responsibility will determine how involved is the person with the program. At a high level, the board of directors /executives should communicate the importance of the new or ongoing fraud risk policy (or policies). If the board and/or upper management don’t think the program is important, the rest of the organization will view it in like manner. Management is responsible for the design and implementation of the program. Staff needs to understand the importance and have a basic understanding of fraud and be aware of ‘red flags’. The board and senior management should embed this fraud risk management program to the organization’s values and code of conduct. The organization may consider issuing documents (i.e. letter) to all employees, vendors, and customers. The document should stress the importance of fraud mitigation, vulnerability to fraud, and all stakeholders have the responsibility to support fraud risk management. All stakeholders should be reminded periodically the importance of fraud risk management. An effective Fraud Risk Management Program serves as an excellent fraud prevention tool. Now that you have a written policy, the next step is to assess fraud exposure.
PRINCIPLE 2: PERIODIC FRAUD RISK ASSESSMENT
Key Elements
Generally, an assessment of fraud risk will include the following: Identify inherent fraud risk Assess likelihood and significance of inherent fraud risk Respond to reasonably likely & significant inherent and residual fraud risks. Prior to assessing a fraud risk assessment, choose personnel across multiple departments and have this ‘Risk Assessment Team’ create the assessment. The team’s 1st step is to put themselves in the footsteps of the perpetrator. Try to think of all the various types of fraud from stealing cash and equipment to financial reporting fraud. 2nd step is to think of the chances or the likelihood that the different fraud types can impact your organization. Always remember the fraud triangle, when you are assessing the risk. The fraud triangle is a concept that fraud perpetrators need an incentive, pressure, and opportunity to commit fraud.
General Fraud Types
Look out for three general types of fraud: Financial reporting, misappropriation of assets, and corruption. An example of financial reporting fraud can be revenues of a company were recorded too high to reach estimates or inventory was recorded too high to reduce cost of goods sold. Misappropriation of assets is where the employee, vendor, etc steals an intangible/tangible good (i.e. cash, equipment) or when an employee submits a fake invoice for a non-existent vendor. Corruption is defined as the misuse of entrusted power for private gain. Many countries have laws in place to mitigate any private organization or person to influence a politician for their private gain. After you have assessed the risks and the chances of them occurring, you can go onto principle 3.
PRINCIPLE 3: FRAUD PREVENTION TECHNIQUES
Fraud prevention is the most proactive fraud-fighting measure. Given a well implemented fraud prevention control system cannot mitigate 100% chance of fraud, but it does give you a better chance you do not fall victim to fraud.
Healthy Company Culture
One way to implement prevention controls is a healthy work culture. Have your HR department implement anti-fraud trainings. Proper and fair compensation is also critical. If employees are happy with their wages, how they are treated, and succeeding in the workplace, they are less prone (generally speaking) from committing fraud. In addition, exit interviews are a way to help the company determine issues regarding management’s integrity or even information regarding conditions conducive to fraud.
Authority / Responsibility
Each employee’s authority should be aligned with her/his responsibility. For example, not every employee should have a company credit card, and those that do should have limits which are governed by their job related tasks. Staff level should not be given the authority to spend thousands or even hundreds of dollars without management approval. If your company does not have any controls in place, you may consider implementing a spending policy.
Policies & Continuous Monitoring
A good prevention control system will not be effective unless the organization writes the policy and educates the employees. Also, make sure you are assessing the prevention controls periodically to ensure the controls are still appropriate. Its upper management’s and the board of directors’ responsibility to monitor & implement any changes to the prevention controls. Monitoring will give the organization insight as to which controls are effective and which need to change.
Prevention techniques are good at fighting against fraud, but fraud prevention techniques alone won’t help you too much if fraud does occur. This leads us to principle 4.
PRINCIPLE 4: FRAUD DETECTION TECHNIQUES
Fraud detection is one of the best ways to deter fraud from ever occurring. There are many controls your organization can implement. However, the fraud risk tolerance of an organization will guide upper management on which types and how many controls do they wish to implement.
Whistle-blower Hot-line
Consider using a ‘Whistle-blower hot-line’ as a control measure. The whistle-blower hotline is the number one control measure to detect fraud. Given, the whistle-blower hotline should be anonymous. The program should be open for vendors and the public to call and report fraudulent activity. The program should have controls in place to compare the information received and compare results to norms for similar organizations to yours. Also, consider having a third-party independent of the organization to review the effectiveness and compliance with established protocols of the program and law.
Internal Controls & Technology
When an organization implements internal controls and segregates duties, fraud can be more easily detected. It is much more difficult for the perpetrator to steal, when the posting of accounting records, cash management, and the reconciliation of accounting records of the whole process is completed by different personnel. Technology tools are available to detect fraud. These tools compare the ‘norms’ to actual activity. They can identify the following: Hidden relationships among, people, events, and organizations Suspicious transactions Assess effectiveness of internal controls As always remember to document your fraud detection techniques, educate the whole organization, and monitor them for effectiveness. Thus, far we have learned a well-rounded fraud risk program needs to be documented and part of the company values/code of conduct, periodic assessment of risks of fraud need to be performed, fraud preventive techniques fight against fraud, and fraud detective techniques tell us when fraud is prevalent in the organization. But what should you do, if you suspect fraud or have evidence of fraud? This question leads us to principle 5.
PRINCIPLE 5: FRAUD INVESTIGATION
Key Process Topics
If Indeed you find someone that has committed fraud or suspect someone of committing fraud, you should have a policy already in place to guide the organization on how to investigate and what should be done. According to the ACFE, each investigation and response system should include a process for the following:
- Categorizing issues
- Confirming the validity of the allegation
- Defining the severity of the allegation
- Escalating the issue or investigation when appropriate
- Referring issues outside the scope of the program
- Conducting the investigation and fact-finding
- Resolving or closing the investigation
- Listing types of confidential information
- Defining how the investigation will be documented
- Managing and retaining documents and information
Outsource Professional Expertise
Consider when appropriate to reach-out to professionals outside of the organization including lawyers, accountants, fraud investigators, computer forensic specialists, etc. These outside professionals will assist the organization on how to proceed and what the corrective action should be from a legal standpoint or even from a financial standpoint. At the conclusion of the investigation, record the results and implement new controls (preventive & detective) to mitigate the likelihood that the same type of fraud will never victimize your organization ever again.
FINAL THOUGHTS
Fraud may not be a subject anyone wants to deal with, but the fact is most organizations experience fraud at some level. It’s important to note preparing and creating a fraud risk management policy is constructive and forward-thinking. Strong organizations exist because management anticipates issues prior to them occurring, and take action to avoid unwanted results. Implementation of a fraud risk management program should bring a climate where clear, definite, and positive steps are taken to protect employees, management and ensure a positive company culture.
If you would like a more detailed way on how to implement a fraud risk management program, there is much written on the subject. I recommend you start with the book ‘Managing the Business Risk of Fraud: A Practical Guide’ sponsored by The institute of Internal Auditors, The American Institute of Certified Public Accountants, and Association of Certified Fraud Examiners. This book will give you a step by step process and reference material on how to create a fraud risk management program in great detail. Good luck!
If you would like to speak with me, I am available. Please email me at david@dfarnsworthcpa.com or call me at (408) 780-2236. Have a great day!
David Farnsworth, CPA
P.S. We are on a mission to help local governments with fraud prevention and governmental finance. We exist to help eliminate abuse, wasteful spending and fraud. Our goal is to help you run a transparent financially responsible District or Agency. When you’re ready, here are a few ways we can help right away:
- Sign-up to our monthly newsletter here. We cover topics ranging from fraud prevention, financial reporting, government budgeting, etc.
- Take our fraud risk assessment (link to assessment here) We’ll give you specific recommendations on how to improve your situation right away.
- Receive our free fraud prevention package (click this link to schedule a meeting)
- Jump on a video conference call to get specific fraud prevention recommendations (click this link to schedule a meeting).
- Request a proposal to perform the financial audit. request for proposal.