Fraud Detection And Deterrence - An Internal Auditor's Perspective
Friday, July 24, 2009
When a fraud comes to light, the typical reactions range from asking how it happened, what the loss is, who are involved, to why it had not been spotted earlier.
Public vs Auditors' Expectations in Fraud Detection
The public tends to expect auditors to detect frauds in the course of their work. Auditors however see it as unrealistic to expect them to scope their audits to detect fraud as well. They focus their work on areas with direct or indirect impact on a company's bottom line e.g. Plugging revenue leakages, recovering overpayments, improving internal controls, enhancing corporate governance practices, etc. Fraud discovery is mostly not the focus of their procedures. They scope their work and review transactions based on samples. A fraud, particularly if it is not massive, might not be visible from samples and normal audit procedures. Auditors do not check every transaction. Even if they do, some clever collusive frauds (involving two or more persons, usually an employee and an outsider like a supplier) would probably go undetected.
Recent surveys have shown that the majority of frauds were committed by insiders. The management of an organization should therefore be vigilant that their operating environment is not conducive to fraud.
Environments Conducive to Fraud Activities
Environments that are conducive to fraud include the following:
High-growth, fast-paced organization
It is common to find that controls are secondary where employees are under pressure to grow the business, especially that of its overseas locations. Often, in such an organization, systems and controls do not adequately keep pace with the organization' s growth.
High incidence of management over-ride
Where over-ride of policies and procedures by a manager becomes rampant, the possibility of fraud and abuse increases because of compromise in internal controls. The attitude in such organizations towards internal controls is generally poor.
Employee highly protective of his or her areas of responsibility
The employee's tactic is usually to "put-off and intimidate" anyone prying into his or her areas of responsibility. The intention is to discourage further questions. There is normally an air of resistance and impatience when dealing with such an employee
High concentration of control in one person
Even though it might appear that responsibilities of an area are split organizationally, there is, in reality, one central person who is in control. He is the chief who directs. The other employees merely perform their functions in a cursory manner. The other employees are reluctant to answer any queries and would refer to the chief for answers.
General lack of segregation of duties
In today's IT-driven processes, it is common to find an employee performing what auditors describe as "conflicting or incompatible duties". A simple example is a human resource person who maintains employees' pay records also processs the payroll. While it might be more efficient (and cost-effective) to have the two functions done by the same individual, it increases the risk of abuse by the employee concerned.
The obliging IT department
The IT department that earnestly obliges its internal customers might unwittingly end up helping a fraudster in his or her activities. In such incidents, the fraudster would ask for program and systems changes. In form, the changes are to help him or her to be more efficient and effective, but, in intention, the changes are to aid and cover-up his or her fraudulent activities.
Fraud Deterrence Measures
The starting point to mitigate the risk of fraud is to have stated organizational policies and procedures and build detective and preventive controls into the procedures.
The logic in fraud deterrence is that employees who perceive that they will be caught are less likely to commit it. Therefore internal controls can have a deterrent effect only when employees perceive that such controls exist for the purpose of uncovering fraud.
It follows then that an organization should increase the perception of detection. Such steps include the following:
Employee education
Employees should be given anti-fraud training, or at the very least, basic fraud awareness. In this way, they become the eyes and ears of the organization and with the education, will be more likely to report possible fraud activity.
Fraud policies
Having such a policy stating clearly the organization' s stand and how it will deal with fraud perpetrators would send a clear message to employees of the organization' s zero-tolerance for anyone who commits fraud.
Analytical review
This measure is particularly beneficial to smaller businesses where the impact of fraud activities is frequently significant to the bottom line. The effectiveness of this measure would increase if the company has a policy of job rotation and enforced annual leave. Because many frauds require continuous manual intervention by the perpetrator, the chances of uncovering fraud activities are high when his or her job is being rotated.
Surprise audits
The threat of surprise audits, especially in currency-intensive businesses, would be a strong deterrent to fraud compared to normal audits that are announced in advance, giving fraud perpetrators time to cover their tracks.
Conclusion
There are many more scenarios that pose high risks of fraud and much more an organization can do to detect and deter fraud. The point is for management to be vigilant, to recognize probable areas and remain conscious of fraud possibilities when going about their work. Being aware and taking the necessary preventive and corrective actions could well deter or avert a fraud.
Labels: Fraud, Internal Auditor, International Auditing Standards
posted @ 10:56 AM,
0 Comments:
Post a Comment