Why Companies Need a Plan to Prevent Fraud
By Arlen Lasinsky, CPA, CFE, CFF, CVA, CTP, Director, Advisory Services
Fraud has been a threat to companies for decades — in fact, the infamous Ponzi scheme was created by Charles Ponzi a little more than a century ago. Even with increased oversight from companies and government agencies, it’s important to understand that you can’t stop fraud; you can only minimize the risk.
Since perpetrators will continue to scheme about how to breach the system, a company’s fraud prevention plan should be a living document that is continuously evaluated and enhanced as the company and its systems evolve.
Every other year, The Association of Certified Fraud Examiners publishes a Report to the Nations, a global study documenting occupational fraud and abuse.
The most recent report was issued in 2020 and covered 2,504 cases in 125 different countries with aggregated total losses of approximately $3.6 billion.1 In 71% of cases in the study, the duration of the fraud lasted two years or less.2 The need for an effective fraud prevention plan is essential.
There are numerous types of fraud that can occur, including but not limited to:
- Check fraud;
- Financial statement fraud;
- Payroll fraud;
- Credit card fraud;
- Expense report fraud; and
- Insurance fraud.
Company leaders need to assess their organization’s susceptibility to fraud. The assessment should include all fraud risk areas. When you do identify fraud risk areas, you should focus on addressing the vulnerabilities and determining the best controls to implement. The implementation of the controls should be documented in the written plan. This plan should be prepared by senior management and approved and supported by the internal audit department, audit committee, and board of directors.
To protect against fraud, internal controls are designed to:
- Safeguard assets;
- Minimize risks in the company;
- Provide reasonable assurance that accounting information is accurate, reliable, and timely reported;
- Promote efficient company operations; and
- Encourage employees to adhere to company policies and procedures.
Internal controls should not only include segregation of duties among employees, but should also ensure the environment is conducive to fraud prevention. Segregation of duties is the assignment of the steps in a procedure to more than one person. The intent of segregation of duties is to eliminate opportunities when one person has too much control over a process that could result in an employee engaging in fraudulent activities.
Below are steps leaders can take to enhance their company’s internal controls:
- Evaluate policies and procedures on a periodic basis. It is important to periodically review policies and procedures because, for example, there may be changes in laws and regulations, new technology or the company’s goals and mission may have changed. By not periodically reviewing policies and procedures, the company may be at a higher risk for fraudulent activities.
This includes, but is not limited to, changes in personnel and their assigned duties, technology and the environment. The evaluation should also consider whether existing internal controls are still applicable and if they are being followed appropriately. Periodically testing internal controls and bringing in an independent third party to review the results is another way to determine whether the prescribed procedures are being properly followed.Perform background checks on prospective employees. Background checks will tell you if prospective employees have a history of questionable behavior. This information will allow the company to make an informed decision about hiring the prospective employee.
- Review any breaches that have occurred in the past. Prior frauds can tell you how your internal controls were previously circumvented and how they can be improved for the future.
- Obtain insurance to protect the company against losses. Regardless of the strength of internal controls, there is always a potential risk that remains. If a fraud occurs, insurance may allow the company to recover some, if not all, of the resulting losses.
- Train all employees. They need to understand their role in the fraud prevention plan and what they need to do to uphold the objectives of the fraud prevention plan.
- “Tone at the top” refers to the workplace atmosphere created by the organization’s leadership. Whatever tone management sets has a trickle-down effect on employees. If the tone set by managers upholds ethics and integrity, employees will be more inclined to uphold those same values. However, if upper management appears unconcerned with ethics and focuses solely on the bottom line, employees may be more likely to commit fraud because they feel ethical conduct is not a focus or priority within the organization. Employees pay close attention to the behavior and actions of their bosses, and they follow their lead. In short, employees will do what they witness their bosses doing.3
- Banks typically offer treasury management products and services to help companies manage their cash and investments and to prevent fraud. Although there is a cost for these products and services, the benefits typically outweigh those costs.
For example, one product is Payee Positive Pay. Although this bank product has gained much use over recent years, there are still many businesses not using Payee Positive Pay. Payee Positive Pay enables companies to send an electronic file to the bank before it issues checks. This communication contains the check number, amount, date, and payee. When checks are presented for payment, the payor bank matches the check to the electronic file sent by the company. If the check does not match the electronic file information, the bank communicates with the company to determine if the exception is a legitimate change to the check. If the check has been altered, it will be returned to the depository bank unpaid.
- Stay up to date with cybersecurity training. Cybercrime threatens all organizations, including private and public businesses and government entities. Ransomware, malware, phishing, and other threats could be devastating. Frequent cybersecurity training keeps teams up to date about the dangers that exist and how those risks can harm a business. Following training, the company’s IT department can send test emails to employees to determine whether they are using the security measures they learned in the cybercrime training sessions. In addition, employees need to be aware of emails that do not appear to be legitimate.
- Set up a fraud hotline so employees can anonymously report a known or suspected behavior that seems suspicious. If employees fear retaliation for such reporting, they may not come forward. Using a fraud hotline presents a culture of honesty and accountability. It’s important for top management to be involved and to encourage communication via the fraud hotline.
Many companies utilize a fraud hotline. The latest Report to the Nations showed that organizations with a fraud hotline detected fraud within 12 months versus 18 months for organizations with no fraud hotline. In addition, organizations with a fraud hotline detected a fraud occurring by tip in 49% of the cases, versus only 31% of cases for organizations without a fraud hotline.4
With the rise in fraud cases affecting all types of organizations, companies must be as proactive as possible to minimize their risk. Perpetrators are looking for opportunities to take advantage of vulnerabilities. A fraud prevention plan is an essential tool for all organizations.
- Report to the Nations, 2020 Global Study on Occupational Fraud and Abuse, p.4.
- Ibid, p. 14.
- Tone at the Top: How Management Can Prevent Fraud in the Workplace, Association of Certified Fraud Examiners, p. 1.
- Report to the Nations, 2020 Global Study on Occupational Fraud and Abuse, p.21.