Although most companies will not readily admit that their organizations may be vulnerable to fraud, according to the 2014 Report to the Nations published by the Association of Certified Fraud Examiners (“ACFE”) , it is estimated that the typical organization loses 5 percent of its revenue to fraud each year. Based on the fraud cases reported as part of the ACFE’s study, the median loss caused by frauds was $145,000, while more than one-fifth of the cases involved losses of at least $1 million.
According to the ACFE, because fraud inherently involves efforts of concealment, many cases will never be detected. Therefore, organizations are encouraged to implement certain anti-fraud internal controls, in order to lessen the opportunities to commit fraud. Understanding how occupational fraud is executed is the first step in determining which internal controls to implement. Based on the ACFE’s study, occupational fraud schemes are typically classified into three categories: asset misappropriation (theft of cash, data, property, etc.); corruption; and financial statement fraud schemes (deliberate misstatement, misrepresentation, or omission of financial statement data). Historically, although theft of assets has produced the lowest average losses, these schemes have accounted for the vast majority of reported fraud activity. Within this category, there are various techniques which an employee may utilize to steal company assets and resources, including theft of cash receipts and fraudulent disbursements of cash such as through billing schemes, fictitious vendors, fraudulent expense reimbursements, or check tampering. Understanding and analyzing each of these categories is a critical first step in designing an effective control environment throughout the organization which may aid in preventing and detecting fraudulent activity. Based on the ACFE’s study, victim organizations that had implemented certain common anti-fraud controls such as the following experienced considerably lower losses than organizations lacking these controls.
- Implementation of a fraud hotline or web-based portal whereby internal and external sources may anonymously and confidentially report fraudulent or suspicious behavior. Policies and procedures related to the hotline should be well-publicized by management in an effort to promote and encourage its use. Implementation of a fraud hotline, especially when accompanied with an anti-retaliation policy and/or whistleblower reward program, will effectively improve an organization’s overall control environment through increasing the perception of detection. Historically, the receipt of internal or external tips has represented the most common detection method for each of the three categories of fraud schemes listed above.
- Separation of duties involving the custody of assets, authorization of transactions affecting those assets and recording/reporting of related transactions. The underlying theory of separation of duties is that a single employee should not be in a position to both commit and then conceal fraudulent activities. For example, the Institute of Internal Auditors[ii] suggests there needs to be an adequate division of responsibilities among those who perform accounting procedures or control activities (authorization/recording) and those who handle the assets (custody). In general, the flow of internal processes should be designed in such a manner that one individual’s roles and responsibilities serve, in part, as a check and balance of another individual’s work. Such a system would serve to reduce the risk of undetected errors and limit opportunities to misappropriate assets or conceal intentional misstatements in the financial statements.
- Reconciliation of bank accounts and management review of periodic account reconciliations (bank reconciliations, petty cash, etc.) and bank statements. Bank reconciliations provide insight into the differences between an organization’s cash balance per the balance sheet and per the bank statement, while also proving the completeness and accuracy of the data recorded in the organization’s cash ledger. Depending on the size of the organization and the volume of cash transactions, bank reconciliations may be performed anywhere from a daily to monthly basis. Adequate separation of duties should also be implemented in the bank reconciliation process, in that the cash bookkeeping, bank reconciliation and check signer functions should be separated.
- Review and authorization of expense reimbursements by supervisors and management in a timely fashion. Per the ACFE’s study, a significant portion of asset misappropriation schemes involve situations in which an employee makes a claim for reimbursement of fictitious or inflated business expenses. Management should first ensure all policies and procedures, including those related to expense and travel reimbursements, are communicated to all employees, along with timely notifications of any relevant updates. Furthermore, expense reports submitted by employees, including any underlying support, such as credit card bills, receipts, telephone bills, etc., should be reviewed and signed-off by the employee’s immediate supervisor and the organization’s payroll department. Expense reports submitted by members of management should be reviewed by other members of management.
- Safeguarding and reconciliation of petty cash funds on a periodic basis by authorized employees. Although petty cash funds typically represent an insignificant amount of cash held by an organization, primarily used for small day-to-day expenses, petty cash improprieties may be a signal of broader issues regarding management’s approach to internal controls and the organization’s control environment. To help strengthen the processes surrounding petty cash, sequentially numbered vouchers should be kept as well as disbursement receipts with the disbursement date, amount, purpose, and employee name. Further, the petty cash custodian should maintain a reconciliation of the petty cash fund, reconciling total cash on hand plus outstanding receipts to the total petty cash maximum. Access to the petty cash fund should also be limited to a small number of employees, with the funds kept in a locked box. Lastly, to test compliance with organizational policies and further increase the perception of detection, management may order an independent audit of the petty cash fund on a periodic basis.
Management should maintain a proactive approach to identifying vulnerabilities unique to their organization and implement effective and efficient internal controls to help prevent and detect fraudulent activities. Demonstrating a genuine interest and concern in the implementation of sound internal controls will aid management in establishing an ethical organizational culture.
For more information on fraud and internal controls, or to learn how Baker Tilly specialists can help, contact our team.
ACFE. 2014 Report to the Nations. 2014.
The Institute of Internal Auditors. Simplifying Segregation of Duties. 2009.