Corporate fraud remains a significant threat to businesses despite legislative efforts, such as the Sarbanes-Oxley Act, to address it. Unfortunately, too many businesses have yet to adopt comprehensive, integrated fraud risk management programs. If your clients have put off taking this important step toward protecting their companies, now is the time to act.
Preventing, Detecting and Responding to Fraud
To be successful, a fraud risk management program should encompass all levels of the organization, starting at the top. It should meet three primary objectives: prevention, detection and response.
The first significant challenge is to gain an understanding of where a business entity is at risk for fraud. Be specific and realistic. One business entity’s vulnerabilities aren’t necessarily the same as those of similar-size businesses or even of their competitors’. They need to examine risks objectively, as well. The question isn’t whether the long-time bookkeeper would embezzle funds; the question is whether he or she could. In assessing risks, they must consider both internal and external opportunities for malfeasance and how employees at any level of seniority could work alone or in concert to exploit them.
Once a thorough review of the company’s existing practices has been performed, consider the overall costs of their risks, including the consequences and long-term impact of leaving them unaddressed. Risk management is more than buying insurance; risk management is working to ensure they don’t need insurance because they’re taking steps to close gaps that fraudsters could exploit.
Written Policies Are Best
Next, address preventive strategies. If they don’t have a written code of ethics and business conduct, now is the time to develop both. Fraud prevention begins at the top with a clearly communicated commitment on the part of management. It isn’t enough to have a code of ethics; they must be seen following it.
Then look at their internal controls. Was fraud prevention and fraud detection considered when they were designed? If not, they must be reevaluated with an eye for closing possible loopholes. Policies to consider implementing include:
- Segregating financial and accounting duties
- Duplicating sensitive tasks (for example, double-signing checks over certain dollar thresholds)
- Requiring annual vacations for employees
- Reconciling all bank accounts
- Using passwords and IDs on computer files
- Restricting unauthorized access to offices and computers
- Training supervisors and managers to spot fraud
- Performing internal and external audits that include scrutiny of fraud prevention measures
It’s important to have proper oversight; for example, don’t allow the employees who create fraud policies to assess and manage them. For instance, if the IT staff devises its own security measures, someone outside the IT department should determine whether the measures are appropriate and adequate and monitor whether they’re being followed.
Allocate Resources Based on Priorities
Once a business entity has determined its areas of risk and ways to address them, management may discover they can’t do everything at once. If so, set some priorities so resources can be allocated most effectively.
Understand that not all risk is created equal. Some risk has the potential to cause damage that will ripple throughout the company but, when viewed objectively, is highly unlikely to occur. For example, fraudulent financial reporting can topple a company, but for publicly held businesses, heightened attention among auditors and the public, combined with internal changes driven by Sarbanes-Oxley, make it more difficult to perpetrate today. However, it is the smaller, closely held company that is subject to a greater risk of fraud.
Other potential problems may do less damage, but there’s a much better chance they’ll happen. Perhaps an overworked bookkeeper with a heavy mortgage could exploit operational loopholes to embezzle money fairly easily. In deciding how best to allocate your fraud prevention resources, assess the probability of different risks rather than simply size.
A business should set up a continuous monitoring system that will allow it to track and adjust controls as changing circumstances require. Fraud risk management isn’t a one-time project. Businesses must constantly evaluate existing internal controls and fraud prevention measures, comparing them with legal, regulatory and best practice standards.
Costs and Benefits
Fraud risk management can be time-consuming and complicated to design and implement, but it’s nothing compared to the stress and potential losses (both financial and nonfinancial) that a fraud scheme can create. It’s worth the initial headaches to have the peace of mind that a good fraud prevention program can deliver.
Local Case Study
In a recent case, we assisted a governmental entity with a review of their controls over cash because they had actually taken a hit by a trusted manager. We found some weaknesses in their controls and gave them suggestions for improvement. The employees of the governmental entity were aware of the misappropriation of cash, the investigation and the termination of the employee and the precautionary measures taken afterwards. The actions taken by this entity, including hiring an outside firm to help assess risk, will help to deter future occurrences of fraud.
We Can Help
Not all risk is created equal. Now is the time to evaluate those risks and set up a plan to prevent fraud from happening to your organization. The consulting team at Elliott Davis Decosimo is highly experienced in providing fraud risk assessments and advisory services. To discuss your unique situation, contact your Elliott Davis Decosimo advisor or email Mike Costello.