July 30, 2015

8/10/2021: This article has been updated since its original publishing date to reflect trends in the most recently available Report to the Nations on Occupational Fraud and Abuse (2018). 

We are all faced with limited resources everywhere we turn. In the world of accounting and finance, having limited resources means that we have to make choices about how we allocate those resources when it comes to internal controls, financial reporting capabilities, personnel, and so on. These are difficult decisions to make.

If resources are scarce for accounting departments, the portion that can be devoted to specific fraud prevention tools is even scarcer. This can be particularly pronounced in not-for-profit organizations as dollars tend to be allocated first to mission-based functions and providing the absolute best for the community the organization serves. Having said that, losses due to fraud are always damaging both in terms of reputational damage and the loss of funds. For these reasons, selecting the right controls to defend against fraud is important.

The notion of limited resources is problematic for the prevention of fraud. Would-be fraudsters consistently look for weaknesses in an organization and identify ways they can exploit those weaknesses to complete the fraud. All organizations have flaws and weaknesses, whether they are inherent or by poor design, and the specific weaknesses will be different in each case. Therefore, a one-size-fits-all approach to internal controls or fraud prevention is very difficult to design. For these reasons, a thorough and unique risk assessment is a necessary step each organization needs to complete to design adequate controls in the effort to prevent fraud.

Not all internal controls and fraud prevention tools are created equal. There are some tools that have proven to be more effective at limiting fraud losses than others. As organizations begin their first risk assessment session, or as they update a previous risk assessment, there are two things to keep in mind: (1) completing a formal risk assessment is a necessary step, and (2) the quality of internal controls is of greater importance than the quantity of internal controls.

To this first point, risk assessments provide management and the accounting and finance team direction and strategy when it comes to implementing internal controls. Without this direction, it can be like going for a walk but not really knowing where you are heading. You put one foot in front of the other because that is what you’ve always done. But how do you know if the next step you take is pointing you where you want to go?

In the context of accounting and internal controls, you perform certain tasks because that is what you’ve always done. But how do you know that those tasks will safeguard your assets, or strengthen your financial reporting, or guarantee accuracy? Just because you did those tasks at your previous employer doesn’t mean they are necessarily right for this organization. It doesn’t mean that they are wrong either, but you won’t know for sure until you understand the risks facing the organization and the most effective ways to mitigate those risks.

To the second point, having the right controls in place is much more important than having a lot of controls in place, for many reasons. Here’s an example to illustrate this point. A theatre is having a very successful season and is filling the house. However, they have been having cash flow troubles and have not been able to understand why. The CFO does some digging around the box office and suspects that one of the tellers has been committing fraud. Register statistics for each teller employee shows that one employee has been selling a disproportionate number of tickets to senior citizens and students, who are afforded a 50% discount. It turns out that the employee was receiving enough cash from the patron for full price tickets, but ringing up a discounted ticket and putting the difference in her pocket. In this example, the theatre had a control in place to make sure that the register tapes reconciled to the cash in the till at the end of each teller’s shift, but they did not have a control in place to regularly look at register statistics for any anomalies.

This is an example of an organization setting up internal controls in reverse. Controls were set up without first identifying the risks they would mitigate. Controls are often set up in the hopes that they mitigate risk somewhere in the operation, but they are not always implemented to address specific risks (the random walk we talked about earlier).

The register reconciliation control was implemented because it sounded like a good control to have in place for the retail portion of the operation, not because it was responding to a specific risk identified in a risk assessment. The risk assessment may have told us that the register reconciliation control needed to be there; however, that same process likely would have told us that other controls needed to be in place too (i.e., review of register statistics).

It becomes much easier to identify useful and creative controls if you have completed a brainstorming session on risks facing the organization’s operations. If the brainstorming session identified the risk that a teller could be skimming from the register, it would have been much easier for the CFO to identify that reviewing register statistics could mitigate that specific risk. Jumping right into a brainstorming session on which internal controls should be used, without first discussing risk, is ineffective. Without first understanding the risk of skimming, it is difficult to understand why reviewing the register statistics is a necessary step.

If we accept the notion that every organization has limited resources, and we also accept the notion that risk assessment sessions are effective at identifying the appropriate internal controls to implement, then the following table will be helpful. The Association of Certified Fraud Examiners conducts a study every two years called the Report to the Nations on Occupational Fraud and Abuse. This study polls Certified Fraud Examiners all over the world and asks them to report on their real-life cases. They disclose how the fraud was perpetrated, the profile of the person that did it, how much they took, and most importantly how they got caught. That study produces a variety of useful information, but some of the most informative is presented in a table that ranks internal controls based on their ability to reduce the dollar loss of fraud. Frauds can always get started. The trick is to identify the fraud as early as possible and these internal controls have been identified by the ACFE as having the greatest chance of catching the fraud early on.

The study provides a more complete list, but what is included here is the top 10 most effective internal controls. The table lists these controls and then displays how often the control was implemented, the dollar loss of the fraud in cases where that control was implemented (“Yes” column), the dollar loss of the fraud in cases where that control was not implemented (“No” column), and the percentage of difference between the Yes and No columns.

Control% of Cases ImplementedYes (000s)No (000s)% Reduction
Code of Conduct80%$110$25056%
Proactive Data Monitoring/Analysis37%$80$16552%
Surprise Audits37%$75$15251%
External Audit of Internal Controls Over Financial Reporting67%$100$20050%
Management Review66%$100$20050%
Anti-fraud Policy54%$100$19047%
Internal Audit Department73%$108$20046%
Management Certification of Financial Statements72%$109$19243%

Proactive data monitoring has jumped to the forefront. Accounting systems are churning out so much data and those organizations/companies that are monitoring that data have a leg up on their peers when it comes to fraud prevention. The register statistic control mentioned in the example above would be a great example of proactive data monitoring. This most current ACFE study (published in 2018) shows that proactive data monitoring is enhanced when financial oriented information (i.e., revenues, expenses, etc.) is paired with non-financial data (i.e., tickets sold by category, number of performances, number of performers). The operational success of an organization should be tied to its financial performance. When these two elements are telling a different story, then that is a sign that something unusual may be going on.

As you can tell from the list above, these are not the ordinary, run-of-the-mill accounting controls. These are more targeted and typically aimed at specifically identifying and preventing fraud. As you might guess, a fraud risk assessment is among the controls listed. A thoughtful discussion around how fraud can happen will naturally lead to ideas about how to prevent it. The studies conducted by the ACFE have shown that these controls are very effective at reducing the dollar loss of an ongoing fraud and catching those issues early.

With reputational damage being a paramount risk for any not-for-profit, the risk assessment process is a critical step for each organization to complete and periodically update. Putting controls like these in place to address specific risks at your organization creates a proven combination for early intervention and fraud reduction.

© Clark Nuber PS, 2015.  All Rights Reserved

This article contains general information only and should not be construed as accounting, business, financial, investment, legal, tax, or other professional advice or services. Before making any decision or taking any action, you should engage a qualified professional advisor.