|
[ BOTTOM LINE ]
FRAUD DETECTION AND DETERRENCE - AN INTERNAL AUDITOR'S
PERSPECTIVE
When a fraud comes to light, the typical reactions
range from asking how it happened, what the loss is, who are involved,
to why it had not been spotted earlier.
Public vs Auditors' Expectations in Fraud Detection
The public tends to expect auditors to detect
frauds in the course of their work. Auditors however see it as unrealistic
to expect them to scope their audits to detect fraud as well. They
focus their work on areas with direct or indirect impact on a company's
bottom line eg. plugging revenue leakages, recovering overpayments,
improving internal controls, enhancing corporate governance practices,
etc. Fraud discovery is mostly not the focus of their procedures.
They scope their work and review transactions based on samples.
A fraud, particularly if it is not massive, might not be visible
from samples and normal audit procedures. Auditors do not check
every transaction. Even if they do, some clever collusive frauds
(involving two or more persons, usually an employee and an outsider
like a supplier) would probably go undetected.
Recent surveys have shown that the majority of
frauds were committed by insiders. The management of an organization
should therefore be vigilant that their operating environment is
not conducive to fraud.
Environments Conducive to Fraud Activities
Environments that are conducive to fraud include the following:
 |
High-growth, fast-paced organization
It is common to find that controls are secondary where employees
are under pressure to grow the business, especially that of
its overseas locations. Often, in such an organization, systems
and controls do not adequately keep pace with the organization's
growth.
|
|
High incidence of management over-ride
Where over-ride of policies and procedures by a manager
becomes rampant, the possibility of fraud and abuse increases
because of compromise in internal controls. The attitude in
such organizations towards internal controls is generally
poor.
|
|
Employee highly protective of his or her areas of responsibility
The employee's tactic is usually to "put-off and intimidate"
anyone prying into his or her areas of responsibility. The
intention is to discourage further questions. There is normally
an air of resistance and impatience when dealing with such
an employee.
|
|
High concentration of control in one person
Even though it might appear that responsibilities of an
area are split organizationally, there is, in reality, one
central person who is in control. He is the chief who directs.
The other employees merely perform their functions in a cursory
manner. The other employees are reluctant to answer any queries
and would refer to the chief for answers.
|
|
General lack of segregation of duties
In today's IT-driven processes, it is common to find an
employee performing what auditors describe as "conflicting
or incompatible duties". A simple example is a human resource
person who maintains employees' pay records also processs
the payroll. While it might be more efficient (and cost-effective)
to have the two functions done by the same individual, it
increases the risk of abuse by the employee concerned.
|
|
The obliging IT department
The IT department that earnestly obliges its internal customers
might unwittingly end up helping a fraudster in his or her
activities. In such incidents, the fraudster would ask for
program and systems changes. In form, the changes are to help
him or her to be more efficient and effective, but, in intention,
the changes are to aid and cover-up his or her fraudulent
activities.
|
Fraud Deterrence Measures
The starting point to mitigate the risk of fraud is to have stated
organizational policies and procedures and build detective and preventive
controls into the procedures.
The logic in fraud deterrence is that employees who perceive that
they will be caught are less likely to commit it. Therefore internal
controls can have a deterrent effect only when employees perceive
that such controls exist for the purpose of uncovering fraud.
It follows then that an organization should increase the perception
of detection. Such steps include the following:
|
Employee education
Employees should be given anti-fraud training, or at the
very least, basic fraud awareness. In this way, they become
the eyes and ears of the organization and with the education,
will be more likely to report possible fraud activity.
|
|
Fraud policies
Having such a policy stating clearly the organization's
stand and how it will deal with fraud perpetrators would send
a clear message to employees of the organization's zero-tolerance
for anyone who commits fraud.
|
|
Analytical review
This measure is particularly beneficial to smaller businesses
where the impact of fraud activities is frequently significant
to the bottom line. The effectiveness of this measure would
increase if the company has a policy of job rotation and enforced
annual leave. Because many frauds require continuous manual
intervention by the perpetrator, the chances of uncovering
fraud activities are high when his or her job is being rotated.
|
|
Surprise audits
The threat of surprise audits, especially in currency-intensive
businesses, would be a strong deterrent to fraud compared
to normal audits that are announced in advance, giving fraud
perpetrators time to cover their tracks.
|
Conclusion
There are many more scenarios that pose high risks of fraud and
much more an organization can do to detect and deter fraud. The
point is for management to be vigilant, to recognize probable areas
and remain conscious of fraud possibilities when going about their
work. Being aware and taking the necessary preventive and corrective
actions could well deter or avert a fraud.
(Danny Ng heads the Corporate Risk Advisory division that specializes
in helping clients enhance their control environment and corporate
governance practices. He is an internal audit specialist and has
undertaken numerous assignments on employee fraud and abuse investigations.
If you need further information or require any assistance in relation
to the areas discussed in this article, please contact Danny at
65311-878 or dannyng@stoneforest.com.sg.)
|
