Corporate fraud remains a significant threat to businesses, despite legislative efforts, such as the Sarbanes-Oxley Act, to address it. Unfortunately, too many businesses have yet to adopt comprehensive, integrated fraud risk management programs. If you've put off taking this important step toward protecting your company, now is the time to act.
Preventing, Detecting and Responding to Fraud
To be successful, your fraud risk management program should encompass all levels of your organization, starting at the top. It should meet three primary objectives: prevention, detection and response.
The first significant challenge is to gain an understanding where you¡¦re at risk for fraud. Be specific and realistic. Your vulnerabilities aren't necessarily the same as those of similar-size businesses or even of your close competitors. You may, for example, already segregate duties in your purchasing department, while your competition may have stopped with password protections.
You need to examine your risk objectively, as well. The question isn't whether your long-time bookkeeper would embezzle funds; the question is whether he or she could. In assessing your risks, consider both internal and external opportunities for malfeasance and how employees at any level of seniority could work alone or in concert to exploit them.
Once you've performed a thorough review of your company's existing practices, consider the overall costs of your risk, including the consequences and long-term impact of letting it go unaddressed. Recognize that risk management is more than buying insurance; risk management is working to ensure that you don't need insurance because you're taking steps to close gaps that fraudsters could exploit.
Written Policies Are Best
Next, turn your attention to preventive strategies. If you don¡¦t have a written code of ethics and business conduct, now is the time to develop both. Fraud prevention begins at the top, with a clearly communicated commitment on the part of management. It isn't enough that you have a code of ethics; you must be seen following it.
Then look at your internal controls. Did you consider fraud prevention when you designed them? If not, re-evaluate them with an eye to closing possible loopholes. Policies to consider implementing include:
- Segregating financial and accounting duties,
- Duplicating sensitive tasks such as by double-signing checks over certain amounts,
- Requiring annual vacations for employees,
- Reconciling all bank accounts,
- Using passwords and IDs on computer files,
- Restricting unauthorized access to offices and computers,
- Training supervisors and managers to spot fraud, and
- Performing internal and external audits that include scrutiny of fraud prevention measures.
It's important, too, that you don't allow the employees who create fraud policies to assess and manage them. If, for instance, your IT staff devises its own security measures, someone outside the department should determine whether the measures are appropriate and adequate and monitor whether they're being followed.
Allocate Resources Based On Priorities
Once you've determined your areas of risk and ways to address them, you may discover that you can't do everything at once. If so, set some priorities so you can allocate resources most effectively.
Understand that not all risk is created equal. Some risk has the potential to cause damage that will ripple throughout the company but, viewed objectively, is highly unlikely to occur. Fraudulent financial reporting, for example, can topple a company, but heightened attention among auditors and the public, combined with Sarbanes-Oxley-driven internal changes, make it more difficult to perpetrate today.
Other potential problems may do less damage, but there's a much better chance that they'll happen. An overworked bookkeeper with a heavy mortgage could, for example, exploit operational loopholes to embezzle money fairly easily. In deciding how best to allocate your fraud prevention resources, assess the probability of different risks, rather than simply their size.
You also should set up a continuous monitoring system that will allow you to track and adjust controls as changing circumstances require. Fraud risk management isn't a one-time project: You must constantly evaluate your existing controls, comparing them with legal, regulatory and best practice standards.
Costs and Benefits
Fraud risk management can be time-consuming and complicated to design and implement, but it's nothing compared to the stress and potential financial losses that a fraud scheme can create. It's worth the initial headaches to have the peace of mind that a good fraud prevention program can deliver.
Local Case Study
In a recent case, we assisted a large local company with a review of their controls over cash, because they had actually taken a hit by a trusted management employee.
We found some weaknesses in their controls and gave them suggestions for improvement.
Their employees were aware of the misappropriation of cash, the investigation and the termination of the employee, and the precautionary measures taken afterwards. Their actions, including hiring an outside firm, will help to deter future occurrences of fraud.
(Mike Costello, CPA/ABV, CFE is a Certified Public Accountant, Certified Fraud Examiner, business appraiser and consultant with more than 20 years of training and experience in business valuations and appraisals, business acquisitions and divestitures, and forensic accounting.
He has written several articles for the Tennessee CPA and the AICPA’s Management Consultant newsletter.
He was the managing director and president of Costello, Strain & Company, PC, a CPA firm he established in May 1984. The firm was merged with Joseph Decosimo and Company, LLP, CPA’s in September 2003. Joseph Decosimo and Company, LLP was founded in 1972 and today is one of the top 100 CPA firms in the nation.)