Internal Controls & Fraud PreventionPublished June 12, 2018 by Karen Walsh • 4 min read
The bedrock of a fraud prevention program is a company’s internal controls environment. Many people associate fraud with identity theft and fraudulent credit card charges. However, employee fraud, called occupational fraud, often occurs because internal controls allowed someone to exploit a weakness. Although companies need the ability to detect fraud, they need to create a proactive internal control program to prevent fraud.
Preventing Fraud Through Effective Internal Controls
What is the fraud triangle?
Employee fraud, called occupational fraud, arises out of the “fraud triangle.” The fraud triangle is when someone finds an opportunity arising out of a weakness in a company’s internal controls that allows them to rationalize their actions in response to a pressure in their lives.
For example, if an employee’s family member has been ill causing debt from medical expenses, the person may seize upon a weakness in your control environment to help pay the bills. That employee’s outside pressures lead them to rationalize that a business won’t notice or that they need the money to keep their home.
Protecting your organization from fraud, therefore, means locking down your controls.
What is the cost of operational fraud?
According to the Association of Certified Fraud Examiners (ACFE) 2018 Report to the Nations, the average corporate loss arising out of fraud in 2018 was $2.75 million. However, they also noted their study incorporated a few large outliers that impacted the data. Thus, the mean loss of $130,000 appeared more relevant.
Despite this difference between mean and average, the total loss to all 2,690 members of the study was $7.1 billion in 2018.
How do people commit operational fraud?
The three primary types of occupational fraud are corruption, asset misappropriation, and financial statement fraud. While occupation fraud most often arises out of asset misappropriation, companies lose the most money from financial statement fraud.
Financial statement fraud includes overstatements and understatements of net worth/net income. For example, corporate employees may either create fictitious revenues or understate revenues. Another case of financial statement fraud includes improper disclosures.
What controls help protect against fraud?
Protecting your company from occupation fraud can include controls related to people as well as ones that are automated.
For example, a code of conduct acts as primary protection against fraud. However, establishing a code of conduct is only half the battle. People can choose to follow a policy or not. Therefore, companies must place additional controls on top of this first one.
Internal audits combined with management review can monitor controls to ensure appropriate layers of review. First, management needs to review the controls in place continuously to ensure that they still work. Internal audits provide a second layer of protection over management that helps ensure your controls work.
What controls help mitigate the duration of fraud?
Your code of conduct, management review, and internal audit programs may not protect against fraud. If an employee wants to commit a crime, they will. Therefore, you also need to establish controls to help ensure fraudulent activities are caught quickly.
Proactive monitoring, surprise audits, and management certification of financial statements are three controls that can help with early detection.
According to the AFCE report, in 72% of cases where the company incorporated management’s certification of financial statements as a control for twelve months, the company saw a 50% reduction in fraud. Related to this, although owner/executive occupational fraud represents only 19% of cases, it accounts for the majority of losses.
How Sarbanes-Oxley compliance helps protect against occupational fraud
Sarbanes-Oxley Act of 2002 (SOX) compliance requirements fall into several different areas. Within the discussions of corporate responsibility and governance, some information security issues exist.
SOX 404 focuses on IT controls as related to financial reporting. Control failures that risk misstatements in financial reports should be those tested most strenuously. Misstatements in financial reports raise red flag signaling potential occupational fraud. These controls, therefore, require more testing and more documentation. For example, access control failures make organizations vulnerable to misstatements in financial reports.
SOX compliance focuses on holding management accountable for financial reporting. Originally enacted in the aftermath of the Enron and WorldCom scandals, legislators focused on protecting employees from corrupt senior management and Boards of Directors. Forcing management and the Board to certify the financial statements as part of SOX compliance holds them ethically and legally accountable for not only their actions but those of their peers.
How automating SOX testing documentation streamlines audits
Audits require a constant flow of information and documentation between internal and external stakeholders. ZenGRC’s SaaS platform provides organizations with multiple tools to enable efficient SOX audit tracking.
Internally, the ZenGRC platform allows organizations to map controls across frameworks to maintain consistency. For example, HIPAA compliance and SOX compliance both require user-access controls. However, while SOX controls focus on financial reporting, HIPAA focuses on privacy. Therefore, when a HIPAA compliant organization needs to become SOX compliant, the company needs to evaluate any control gaps. ZenGRC’s ability to map controls across multiple frameworks, regulations, and standards provides insight for organizations who want to implement additional compliance requirements.
Meanwhile, external auditors require proof that an organization has tested controls while compiling documentation in an easy-to-access single location. ZenGRC provides a single source of truth enabling streamlined audit information gathering. Rather than reaching out to multiple stakeholders who access information based on their roles, organizations using ZenGRC’s role-based authorization platform allows workforce members access to information they need to do their jobs. These authorizations enable compliance managers access to the IT department’s documentation but limit their ability to make changes. Not only does this maintain the data’s integrity, but it eases cross-departmental communication and saves time.
Finally, the ZenGRC risk heat maps provide easy-to-digest risk analyses that allow the Board of Directors to meet their oversight requirements. When the Board of Directors can articulate their decisions, they can prove to auditors and regulators that they have met their due diligence requirements.
Automating SOX control testing means more than automating the controls, it means automating the documentation that proves the controls work.
For more information about how ZenGRC enables agile compliance, schedule a demo.