Every company should want to prevent fraud from happening against their organization, and most companies will not readily admit that their organizations may be vulnerable to any significant fraud. The reality is that many individuals can commit fraud against any organization with a clever understanding of the company’s internal controls structure.

Black’s Law Dictionary1 defines fraud as “a false representation of a matter of fact…which deceives and isInternal Control Checklist | Anti-Fraud Strategies to Deter, Prevent, Detect intended to deceive another”. Fraud can be perpetrated by an individual within an organization or external to the organization. It is generally described in three categories: asset misappropriation, fraudulent accounting and financial reporting, and corruption.

Fraud is a relevant issue worthy of discussion – particularly in today’s economy. As the price of a gallon of gasoline and the adjustable interest rates on certain home mortgages continue to rise, employment stability and incentive compensation payouts continue to decline2. This dichotomy can increase the pressures and incentives for individuals to concoct fraud schemes to perpetrate. These individuals often rationalize their fraudulent actions by supposing that a) the dollar amount is not significant enough to the company for management to care; b) their current salary is below market and they have “earned” this payoff; c) management is already considering layoffs and the severance packages will likely not cover their immediate expenses; and d) they’re too clever to get caught. With the appropriate amount of pressure/incentive and rationalization, history has shown that some individuals may turn their attention towards the opportunities that exist within a company’s internal control structure that could allow a fraud to be committed and, in the potential fraudster’s mind, not detected.

These three factors (pressures/incentives, opportunity, and rationalization) are commonly referred to as the fraud triangle3, and when all three of those conditions are present the risk of fraud being perpetrated can increase significantly. Of those three conditions, opportunity is the one condition that can most effectively be managed to address fraud risks. This condition is principally managed by designing and implementing a control environment that prevents, detects, and deters most fraudulent behavior, whether conducted by employees, vendors, consultants, or senior management. As part of such a control environment, there are five key anti-fraud controls that companies can implement, and it begins with the tone at the top.

PREVENT: A TRULY INDEPENDENT AND EMPOWERED AUDIT COMMITTEE – Organizations that have stakeholders and shareholders independent of management (whether publicly traded or privately held) should also have an audit committee that is independent of management4. The audit committee should be knowledgeable of the company’s fraud risk exposure and aware of the steps management is taking to monitor and mitigate those risks. Truly independent audit committees may also maintain healthy levels of skepticism to promote continuous evaluations of the company’s anti-fraud programs and controls. The audit committee has the responsibility to monitor the results of the annual audits and quarterly reviews, and is also responsible for directing the activities of the internal audit department (if one exists within the organization).

PREVENT: CONDUCT DETAILED FRAUD RISK ASSESSMENTS – PCAOB Standard No. 5, released in 2007, encourages public companies to conduct annual risk assessments and use the results of those assessments to identify the key controls in the significant areas. PCAOB Standard No. 5 also made specific reference to fraud, encouraging management to identify those key controls that are specifically designed to address the risk of fraud.

DETER & DETECT: PROMOTE THE TOOLS FOR EFFECTIVE REPORTING OF SUSPICIOUS OR INAPPROPRIATE ACTIVITIES – The Sarbanes Oxley Act requires audit committees to establish procedures for the receipt, retention, and treatment of employee complaints across a variety of issues, including fraud and misconduct, and a whistleblower hotline is one of the easiest and least expensive of such procedures. According to the 2008 ACFE Report to the Nation, approximately 46% of all fraud was uncovered through tips. However, the existence of a hotline may not be enough.

PREVENT & DETER: ANTI-FRAUD POLICY AND APPROPRIATE TRAININGS – It is not uncommon for employees to be confused as to what activities constitute fraud or misconduct against the organization. Some employees may abuse the company’s reimbursement policy of requiring receipts for expenses greater than $20, and other employees may conduct side business during work hours using the organization’s resources. While these activities may not be regularly called out as significant fraud, they nonetheless misuse the company’s assets and resources. Further, it is important to remember that most fraud starts out small. As the fraud scheme continues over a period of time, the typical perpetrator begins to gain confidence in the fraud scheme and may move on to fraud schemes involving larger amounts.

DETER & DETECT: RESPONSE TO FRAUD ALLEGATIONS – Regardless of the size of the fraud allegation or the individual involved, the organization should consider having a documented policy of how fraud allegations will be investigated and resolved. The policy would typically include procedures for documentation preservation and evidence gathering. The policy can address which individuals or departments should be responsible, accountable, consulted, and informed depending on the nature of the allegation.

Erick O. Bell is a senior manager in the Forensic & Dispute Services practice of Deloitte Financial Advisory Services LLP in San Francisco. Erick focuses on corporate investigations, anti-fraud consulting, and litigation and dispute support. He has delivered various trainings on fraud awareness, fraud risk assessments, and forensic interviewing techniques; and is currently an adjunct faculty member at the University of San Francisco.

This story is available in full at Corporate Compliance Insights.