Fraud never seems to go out of style — and much of it comes from within. Internal fraud, also known as occupational fraud, is defined by the Association of Certified Fraud Examiners (ACFE) as “the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the organization’s resources or assets.”
The ACFE’s 2018 Report to the Nations on Occupational Fraud and Abuse states that the typical organization loses 5% of revenues to fraud each year. In the 2,690 cases they studied, fraud caused an excess of $7 billion in losses. Open the infographic below for more eye-opening statistics.
For any type of company, the most effective overall way to combat fraud is to build a strong framework of internal controls. When doing so, you’ll heighten your odds of success by reinforcing the following five pillars.
They say responsibility begins at the top — and they’re right. For any internal control system to be effective, its first pillar must be the establishment of a strong ethical position by management and a clear delineation of responsibilities thereafter.
Many businesses have taken to formally drafting an ethics policy. This document can help management clearly express its approach to doing business and apply those philosophies to its internal controls. When employees know such a policy exists, and management is following it, they’ll also know that any attempt to commit fraud will be much riskier.
Equally important to a strong ethical position is a clear delineation of internal control responsibilities. Again, formally documenting this can be helpful.
You've probably heard it before, but spreading out risk-intensive tasks among several employees remains fundamental. To the extent possible, segregate the handling of key assets into three categories:
2. Custody, and
3. Record keeping.
Take a very simple example: your petty cash drawer. Ideally, one employee should be in charge of authorizing its use; another should keep it safe and make disbursements; and a third should maintain records regarding its usage.
Handling all major assets in this manner creates a system of checks and balances that will hamper any one dishonest employee from misusing the item. Smaller businesses may have a harder time spreading duties among a more diminutive staff. But it’s here that owners must step up and keep an active hand in oversight.
The days of an office safe and a locked desk are long gone. Today, every business needs to implement expansive controls throughout their facilities. You can organize these into categories such as:
Physical. These would include locked doors, safes, vaults and even specially designed rooms or structures to hold valuable assets.
Mechanical. This category generally comprises video monitoring systems, time clocks for tracking the work of hourly employees, and alarm systems for regulating entry access to buildings and rooms.
Information technology. Companies now need comprehensive IT security policies to prevent fraudsters from stealing or vandalizing critical information (or just money and products). Specific controls here include passwords, server and software authentication, and source code/document version control procedures.
Complete documentation is important for knowing not only what you have, but also what you don’t have. For starters, you need to scrupulously maintain your financial statements and regularly review them for, among other things, suspicious budget-to-actual variances.
But airtight financial statements alone don’t a fraud-free company make. There are other forms of documentation that can help you detect and prevent fraud. For example, create invoices that are distinctive to your company and sufficiently informative. Doing so will make them more difficult to fabricate.
Also, whenever possible, use pre-numbered, consecutive documents. That way, if one falls out of order, you have a quick indicator of something gone awry. In addition, prepare paperwork in a timely fashion. When documentation falls behind, it can be easier for a fraudster to step in and take advantage.
As you probably know, large companies have internal auditors on staff to regularly evaluate the effectiveness of internal controls. Small-to-midsize companies can’t always afford to keep such staff members on the payroll. But you still need an internal auditing process to periodically review and reconcile internal control data and procedures.
The audit process should be planned well in advance. Many companies perform internal auditing in stages over the course of a calendar year or even over multiple years. For many aspects of an audit, the element of surprise can be helpful. When employees don’t know when the process is scheduled to begin, they can’t preemptively fix mistakes or, in worst cases, cover their tracks after committing fraud.
External audits are also highly advisable. Kruggel Lawton can perform an audit to determine whether your financial reporting follows the standards prescribed under Generally Accepted Accounting Principles (GAAP). Although this process doesn’t specifically focus on fraud detection, it can reveal critical details about the soundness of your financial reporting. (There are also two, less comprehensive alternatives to consider: a compilation or a review. They’re also not designed to detect fraud.)
For fraud-specific services, consider forensic accounting. Going this route, an actual investigation can be conducted if you believe fraud has occurred, or it can simply be a review of your internal controls with insights into their effectiveness.
A system of internal controls built on these five pillars stands an excellent chance of being solid as a rock. Of course, there are other details to consider, and your company’s specific control needs may vary depending on its size, industry and location. Kruggel Lawton professionals can help you regularly assess and fine-tune.