The recently revised COSO study provides high-level points of focus for preventing fraud. An organization should “consider the potential for fraud in assessing risks to the achievement of objectives.” The COSO study identifies four critical points of focus to assess fraud risk:
- Consider various types of fraud—The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur
- Assess incentives and pressures—The assessment of fraud risk considers incentives and pressures
- Assess opportunities—The assessment of fraud risk considers opportunities for unauthorized acquisition, use or disposal of assets, altering of the entity’s reporting records, or committing other inappropriate acts
- Assess attitudes and rationalizations—The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions
Organizations should consider all of these factors when developing or reviewing any policy or procedure. You might be right that anti-fraud controls mainly apply to the general area of accounting (purchasing, revenue, payroll, banking and treasury, inventory, assets, etc.), but they will also involve many specific areas of operations, such as sales, payments, expenses, receivables, travel, suppliers, taxes, promotions and much more.
It’s not enough to focus controls on fraud, however. A broad range of internal controls and a firm understanding of them are necessary to support fraud prevention efforts. Consider the five components of internal control:
- The control environment, which includes the integrity, ethical values and competence of employees
- Risk assessment, which forms the basis for determining how risks should be managed
- Control activities, which are the policies and procedures to help ensure that management directives are carried out
- Information and communication, which includes the methods for identifying, capturing and communicating information required for employees to carry out their duties
- Monitoring, much of which occurs through routine management and supervisory activity
The primary mechanisms to effect internal control are:
- Process monitoring is often part of management reporting; statistics provide information about volumes processed, problems that arise, backlogs, resources used, and so on
- Supervision and review help ensure that controls are in place and effective
- Training of staff and hiring qualified and capable staff help ensure that employees understand their responsibilities and carry them out effectively
- Written policies and procedures reduce the risk of misunderstanding or lack of knowledge leading to control deficiencies
- Segregation of duties may prevent fraud and error
- Reconciliations compare two numbers and explain any differences between them
- Analytical review is used to explain changes from other periods, other departments, budgets, forecasts or benchmarks
- Edit checks and validation ensure that data entered makes some sense; for example, a month must have a numerical value less that 13, or a total is entered to ensure that no data has been missed
- Design and ergonomics may reduce the rate of human error
- Audit trails facilitate tracking the flow of information and making corrections when required
This is just a basic look at what organizations must do to manage the risk of fraud in their operations. Please feel free to let us know about the challenges you’ve faced with fraud and how you’ve addressed them!
- How does IT recovery planning differ from business continuity planning? - August 4, 2015
- How to manage bank accounts: the basics - July 6, 2015
- Refresher on financial statistics and metrics - April 6, 2015