First the good news: According to the most recent annual Global Fraud Report (2013/2014) by security firm Kroll, the U.S. has an incidence of fraud below the global average.
The bad news? That still means that 66 percent of U.S. companies were hit by fraud in the last year, with losses averaging about 1.2 percent of revenue. What’s worse, U.S. companies are less likely than their international counterparts to have anti-fraud strategies in place.
Yet the key to preventing and detecting internal fraud lies in implementing strong controls, and these need not be expensive or burdensome. Here’s where to start:
- Begin at the end. “It’s a reverse engineering process,” says Daniel Draz, a certified fraud examiner (CFE) and principal of Fraud Solutions based in Illinois. “Use your overall risk assessment to figure out what you have that’s potentially at risk—usually it’s information or money—then work backward to build the appropriate control. Who handles the item? Why do they handle it? How can you protect it?”
- Understand the basics. Though specific controls may vary, there are a few key principles that form the basis of most schemes:
- authorization, in which a manager signs off on a transaction before an employee enacts it,
- separation of functions, in which authorization, recording, and custody are handled by different people, and
- redundancy, which might include independent account reconciliation, forced vacations, and periodic auditing.
A program may also include controls for:
- prevention, such as establishing hiring criteria for sensitive positions, access controls, authorization requirements, budgeting, and forecasting, and
- detection, including reconciliations, periodic performance reports with variance, and internal audits.
A program may also have a formal process for correction of oversights, which we’ll discuss further down.
- Trust but verify. On average, embezzlers have been with their companies for seven years, Draz points out, so it would be foolhardy to place blind trust in any employee—even those with significant tenure. At the same time, treating employees like potential criminals is bound to harm morale and reduce incentive to embrace proper controls.
“You need to stress to employees that as custodians of your customers’ information and your investors’ money, you have a responsibility to ensure that these assets are secure,” he says. By communicating the importance of trustworthiness as a corporate value, you earn employee buy-in, which can increase adherence to security processes.
- Testing, testing…and more testing. Having controls in place is one thing, but making sure they work is quite another. Testing a control process can be as simple as creating a dummy transaction, (for example, a T&E expense report or bank transfer) that falls outside the parameters you’ve set, and see if it goes through. If it does, where did the failure occur? Was the control simply ignored or actively overridden? Did the technology you have in place fail to raise a red flag? Did it notify the wrong person?
- Learn from your mistakes. Similarly, if internal fraud or error is detected, use the breach as an occasion to uncover and repair weaknesses in your processes. “Unless it involves malfeasance, this doesn’t mean hanging someone out to dry,” Draz says, emphasizing that taking a collaborative rather than punitive approach can yield better results. An example might be a control that was overridden in order to resolve a customer-service issue. Is there a way to avoid such a conflict in the first place?
Remember, above all, to keep it simple. Internal controls don’t have to be complex to function well. Instead, take common-sense steps to prevent and detect internal fraud and error to give yourself and other stakeholders peace of mind.