Fraud prevention: Improving internal controls

Internal fraud controls aren't fire-and-forget. Smart collaboration and ongoing improvement will help keep fraud in check. Here are the basics.

1 2 Page 2
Page 2 of 2

Lessons learned

While no company wants to experience internal or external fraud events, victimization may have long term corporate anti-fraud benefits if all departments have comprehensive incident handling protocols and the incident is handled appropriately after the fact.

Appropriate handling always includes post event analysis which provides the company with an excellent "lessons learned" opportunity. During this process stakeholders need to be asking the tough questions and gathering information to identify the factors that allowed the event to occur.

The process should not be viewed as a fault finding mission but a determination of whether there was a company, policy, procedure or guideline in place to address this situation, whether the guidelines were followed as designed or adequate to address (or prevent) the specific situation that occurred.

If the fraud event occurred because an employee(s) simply failed to follow the internal control policies, then there are corrective measures that business units may take to ensure policies are followed in the future. These include communication to employees regarding increased awareness, correct handling processes and policy adherence. It may simply be that employees performed as expected under the circumstances but there were insufficient internal control policies in place to guide their behavior. Lessons learned here will strengthen internal controls through the creation of new ones.

A fraud event without in-depth incident evaluation, lessons learned and corrective action generally means that there is an excellent chance the criminals will reload the activity and the company will continue to experience high levels of fraud.

A great example of this involves timekeeping amongst non exempt employees. Many companies are now using electronic payroll systems offered through services like ADP to track arrival at work, departure from work, lunch, sick and vacation days. The systems work well but like any other technology, after implementation, there are always employees trying to figure out how to beat the system and steal time. Simply put, arrive 15 minutes late to work and your check is being docked that amount of time. Once two or three investigations are conducted into this kind of activity the methods used by employees trying to manipulate the clock are known and the holes that allowed the activity to occur can be plugged. Additionally, as stealing time is usually a violation of the company's Code of Conduct policies, when employees are terminated for stealing time, and it becomes known that termination is what the company's response to that action was, it serves as a deterrent to future activity like this.

Technology

While technology enables us to perform essential business functions, there are direct correlations between technology, fraud events and the internal control process. Technological applications are probably the single greatest sources of risk and exposure that businesses face. Robust internal controls, including platform and network access controls, remote usage and password protection policies, are needed to regulate the entire computing platform.

Additionally, there must be internal controls in place for all mobile computing applications and company telecommunication devices like personal computers and smart phones. Given how quickly technology is changing, strengthening internal controls in this area revolves around fluid processes as the technology is not static.

A great example of the evolving technology, risk and demand for internal controls involves cloud computing. While cloud computing is viewed as a way to reduce computing costs, the need for strengthened internal controls is significant as your company's information is not under your direct oversight and control.

As indicated earlier, this is a significant reason why information security professionals are one of the teams responsible for internal control oversight.

Fraud risk assessments

In accordance with current legislation and regulation, many of the internal controls in place today are specifically designed to protect Personally Identifier Information (PII), and consumer data in the possession of businesses. In today's business environment, consumer and information protection are paramount. Internal controls can be strengthened through departmental fraud risk assessments, audits, and an examination of policies and procedures, particularly those that involve employees who have direct interaction with consumers and their PII. The methods in which data's gathered, handled, stored, and destroyed in conjunction with the company's data retention practices should be examined in detail. Additionally, an assessment of the information and physical security practices, protection methods and controls surrounding the consumers and their PII data should be conducted to find the vulnerabilities and take corrective actions surrounding these internal controls.

Providing self assessment check lists to department managers and requiring a semi- annual review of policies, practices and procedures is an effective method for assessing key controls and ensuring that they are adequate for preventing fraud. Additionally, fraud risk assessments safeguard company assets, protecting the company from added liability and financial exposure. Oversight for semi annual review usually comes from either the compliance or audit departments. While PII is a major concern for privacy reasons and data breaches, there are a variety of critical business processes and procedures that could be examined in fraud risk assessments depending on the type of business, the industry and the regulation or oversight of the business. Oversight for fraud risk assessments is typically the responsibility of the company's audit department.

Testing key controls

It is essential to differentiate fraud risk assessments from control testing. The primary purpose of fraud risk assessments is gathering information about processes, procedures and controls while control testing determines whether the controls are working as intended or not.

It is important that we test internal controls in a controlled environment as internal controls which are only tested under "live fire," real time conditions may not actually be effective controls at all. Testing is an integral part in any control environment and may be a key indicator in not only assessing how strong the internal controls are but whether they need to be strengthened. Simulated, situational testing may also assess event readiness and effective business unit processes. The type of testing, the regularity of the testing and the testing schedule will vary from business to business and may be determined by individual company needs and regulatory requirements.

All technology and information based tools should be tested. A perfect example of internal control testing in the technology area involves testing access controls and information availability via online Internet information platforms. A recent test conducted by one company found a security flaw in the platform, which unknowingly exposed consumer's PII to the general public and had been doing so for a period of years until it was detected. The hole was plugged but the damage was already done!

According to the SEC, Section 404 of the Sarbanes Oxley Act requires and reinforces the need for control testing:

The Act directs the Commission to adopt rules requiring each annual report of a company, other than a registered investment company, to contain (1) a statement of management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) management's assessment, as of the end of the company's most recent fiscal year, of the effectiveness of the company's internal control structure and procedures for financial reporting. Section 404 also requires the company's auditor to attest to, and report on management's assessment of the effectiveness of the company's internal controls and procedures for financial reporting in accordance with standards established by the Public Company Accounting Oversight Board.

Conclusion

In this article, we've discussed a number of methods and approaches for strengthening internal controls. One thing is certain: Given the ever changing business and regulatory environment and the number and diversity of types of frauds being committed against companies globally, internal controls must be reviewed, evaluated, tested and strengthened regularly.

It's insufficient to create internal controls and expect them to stand the test of time without periodically modifying them to meet current conditions.

Daniel W. Draz, M.S., CFE is the Principal of Fraud Solutions, a specialized corporate fraud and investigation consulting firm. He has a Masters degree in Economic Crime Management and 26 years of sophisticated fraud, investigation, compliance, audit and risk experience exclusively in the private sector. Contact him via e-mail: info@fraudsolutions.com.

Related:
1 2 Page 2
Page 2 of 2
SUBSCRIBE! Get the best of CSO delivered to your email inbox.