Banking and Financial Services Sections

The Steal Industry

Business Owners Must Understand Fraud Risk and Internal Control

Melyssa Brown

Melyssa Brown

Fraud is not an accounting problem or an internal-control problem; it is a human problem.
Most people who commit fraud at work are not career criminals, and often are trusted staff with no criminal history. Those employees have motivation, rationalization, and opportunity, which can be noticed by others within the organization.
Fraud affects all sizes of businesses, from small, family-owned companies to nationally recognized organizations. Effective anti-fraud programs and controls encompass a wide range of activities and policies, including governance, employee training and education, fraud-risk assessment, and internal controls.
What follows is an examination of how and why fraud occurs, and the steps companies can take to control it.

Motivation, Rationalization, and Opportunity
Motivation or pressure may include financial problems; addictions like gambling, shopping, or drugs; as well as pressure to show good or improved performance or results. Rationalization occurs when employees think they are justified because they are underpaid, or it’s for their family, or they need it now but they’ll pay it back before anyone notices. Opportunity is created when there are weaknesses in controls.
Employees think they won’t get caught because of a lack of oversight. Behavioral red flags that can indicate fraud include living beyond one’s means, unusually close association with a vendor, customer, or auditor, control issues, and unwillingness to share duties. Executing or implementing the methods and procedures suggested below can mitigate the opportunity for fraud.

Governance
Preventing fraud starts with setting the tone at the top for the rest of the organization. Management needs to create a culture through words and actions where it is clear that fraud is not tolerated, that any such behavior is dealt with swiftly and decisively, and that whistleblowers will not suffer retribution. The board of directors (or owner, if, due to the organization’s size, no board is established) should maintain oversight of the fraud-risk assessment, obtain assurance that controls are effective, and oversee that internal controls are established. The board of directors could also hire a certified public accounting firm to perform an external audit of the organization’s financial statements.
Having an internal audit department or fraud-examination department provides objective assurance to the board and management that controls are sufficient for identified fraud risks and ensures that the controls are functioning effectively. Also, that department can perform surprise audits on various areas of the organization on a haphazard, rotating basis to deter and detect fraud.
In addition, the board or management could create a code-of-conduct policy that includes appropriate ethical practices, anti-fraud verbiage, and whistleblower information, which should be circulated to all employees, with rewards outlined for whistleblowers. In order to be effective, communication regarding the organization’s anti-fraud policies and procedures must flow throughout the organization.

Employee Training and Education
All employees must receive a clear message that the organization is serious about its commitment to preventing fraud, and each employee must fully understand all relevant aspects of the organization’s anti-fraud policies, and should understand how their individual daily responsibilities are designed to manage fraud risks.
Every level of staff, including managers and executives, could be given fraud and ethics training when hired and updated yearly. Employment background checks should be performed during the hiring process. Also, employees could be cross-trained, which coincides with job rotation and mandatory vacations where someone else performs the work for a specified amount of time, which lessens the opportunity for one employee to commit fraud.

Fraud-risk Assessment
Management can perform a fraud-risk assessment on a systematic and recurring basis. This process should identify the organization’s vulnerability to fraud and where it may occur, consider relevant fraud schemes and scenarios, and determine the potential impact of fraud on the financial statements.
Management’s assessment of fraud risk should also include the potential for fraudulent financial reporting, misappropriation of assets, and unauthorized or improper revenue and expenditures. While analyzing the organization’s vulnerability, consider the following: how an employee might exploit weaknesses in internal controls, how they could override or circumvent controls, and what an employee could do to conceal the fraud. The process should also include ongoing testing of the internal controls to ensure that they are functioning as designed and changes are made in a timely manner to strengthen the controls.

Internal Controls
Effective internal controls start with the proper segregation of duties.  Management should ensure that transactions are initiated, authorized, recorded, and reported according to management’s policies and procedures, which are driven by the organization’s governance.
Management’s review of reconciled general ledger accounts, including but not limited to bank statements, accounts receivable, accounts payable, and financial statements, should occur monthly.
Examples of additional internal controls include: blank checks kept secured in a locked cabinet, safe, etc.; two signatures required on checks over a certain limit; secured inventory that is monitored and counted periodically; management approval of new vendors; and employee-expense reimbursement requiring a formal report completed and approved, with actual itemized receipts attached.
Even the best systems of internal control cannot provide absolute assurance against fraud. To help reduce the risk of fraud, organizations need to diligently perform a fraud-risk assessment and internal-control review. Those are the keys to prevention and timely detection of fraud.
The methods noted above may seem daunting; however, a reputable certified public accounting firm can provide examples of policies and tools for the fraud-risk assessment process.

Melyssa Brown, CPA, MBA is an audit and accounting manager for the Holyoke-based public accounting firm Meyers Brothers Kalicka, P.C.; (413) 322-3484; [email protected]