Preventing Fraud in the Era of Budget Cuts

The cost-cutting craze sweeping Corporate America is leaving internal control systems full of holes that could be potential entry points for fraud, even as temptation to commit fraud is soaring, a new survey says.

The Association of Certified Fraud Examiners polled more than 500 anti-fraud professionals, and more than half reported an increase in the number of frauds they have seen in the last year; 49 percent saw an increase in the total dollar value lost to fraud.

At the same time, among the 261 poll respondents who work as in-house fraud examiners, nearly 60 percent said their companies experienced layoffs or similar staffing restrictions during the past year. Almost 35 percent of the group said their companies eliminated some controls.

Turner

Combined, the two trends could put businesses at much more serious risk for financial fraud. “A company is like a tapestry,” says Jonathan Turner, a managing director at consulting firm Wilson-Turner Inc. “The threads all perform a function. When you cut headcount, you pull threads and create little holes … [Eventually], you can end up with a see-through piece of cloth.”

To avoid ending up with internal controls that look like Swiss cheese, experts say companies should examine their internal controls before they make cuts, to see how the changes will affect those controls—and then re-arrange controls as appropriate to maintain an effective system even with a reduced headcount.

McHard

“A cardinal error is that companies don’t think about how gutting a department guts their internal controls,” says Janet McHard, senior manager at accounting firm Meyners & Co. “Planning ahead is easier than figuring it out on an emergency basis two weeks later, or being surprised by a large fraud because your controls were absent.”

“A company is like a tapestry … The threads all perform a function. When you cut headcount, you pull threads and create little holes.”

— Jonathan Turner,

Managing Director,

Wilson-Turner, Inc.

That said, McHard and others readily admit that such advance planning is rarely what actually happens. For example, McHard recalls a 50-person company that laid off two members of the accounting department in a prior recession, inadvertently wiping out its entire control system around income and cash. Another company kept its controls on cash-outflows airtight after a downsizing, but gutted the controls on cash coming into the company and on bad-debt write-offs.

Chambers

Why the poor planning? Downsizing decisions are often based on criteria that overlook details like internal control and risks, particularly fraud risk, says Richard Chambers, president of the Institute of Internal Auditors. That means internal auditors should secure a seat at the table to help management assess the potential controls at risk as a result of any layoffs, he says.

“Functions viewed as overhead expenses or administrative costs are often prime targets for downsizing, but those functions may have key controls embedded,” Richards warns. Cutting them thoughtlessly can sharpen old risks or create new ones.

Creative Solutions

To combat the problem, Turner suggests companies increase the number of surprise audits, since audit processes and preparations tend to become scheduled over time. He also recommends auditors “look first where they and senior management have been the least.”

McHard says companies may be able to maintain their controls even with fewer people by going outside the accounting department. For instance, complaints that would normally go to someone in accounting could be re-routed to someone in legal or compliance. “It’s some work to set up,” she says, “but it’s a good control which is fairly low cost.”

KEY RECOMMENDATIONS

Recommendations from the Institute of Internal Auditors for helping an organization through the financial crisis.

1. Focus on recession-related risks and activities. Incorporate cost containment and revenue enhancement reviews into the audit activity. Review risks around reputation, liquidity, workforce reductions, and third-party vendors. Look at going concern issues and off-balance-sheet transparency, and ensure internal controls mitigate reputational risk. Cultivate a cultural mind-set so that all activities are scrutinized with corporate reputation in mind. Invite management to surprise drills, and discuss strategies if the unthinkable happens.

2. Increase communication with management and the audit committee. Know the expectations of the audit committee and management. Recognize the opportunity to advocate risk management and keep the audit committee informed of upcoming and emerging risks. Discuss and obtain agreement on any shifts in audit plan priority. Promote transparency at all levels.

3. Place renewed focus on risk management and corporate governance processes. Audit the effectiveness of the organization’s risk management and governance processes. Take a hard look at the organizational structure and business strategies, and ensure that there is a well-thought-out risk management process. Raise tough questions about oversight practices and strategies. Look at the board structure, reporting lines, and separation of duties.

4. Strengthen your risk assessment process. Reassess risks, including emerging external risks, and quantify the impact more frequently. Add a preparedness, velocity, and resilience factor to the risk assessment matrix, and subject every area of the risk assessment to a reputational risk litmus test. Assess the impact of compounded interrelated risks that if combined could snowball into a higher risk priority, and look toward the future to anticipate the next emerging risk.

5. Operate with a more flexible and adaptable audit plan. Reassess the audit universe regularly and change the audit plan to stay aligned with business objectives. Reprioritize resources to adapt to priority risks identified in the risk matrix, and shift assurance activities to risk management processes, operational controls, and cost containment/reduction and revenue enhancement activities. Keep an eye on what actions management is taking to cope in today’s environment.

6. Serve as a risk management educator. Help management and the audit committee understand where they stand in the ERM curve and work together to fill in the gaps. Facilitate risk management workshops, and advocate a rigorous self-assessment process to provide broader risk review coverage. Facilitate risk discussions at every opportunity.

7. Expand fraud testing in the audit plan. Incorporate technology to review a broader transaction universe for anomalies. Focus on recession-related risks, inventory shrinkage, overtime abuse, unauthorized accounts payables, and expense report padding.

8. Strengthen business knowledge. Couple audit methodology with a deep understanding of the business; find out what you don’t know and fill in the gaps. Focus on business objectives and strategies, and ensure that your audit plan considers and addresses the strategic risks to the organization. Partner with risk champions to improve organizational knowledge.

9. Strengthen your relationships and communications with the organization’s other governance, risk and control functions. Improve relationships with other risk and control groups, and meet with risk champions regularly. Build a strong relationship with management to stay abreast of business changes and strategies. Encourage open communication and sharing, facilitate risk discussion, and publish emerging risk lists.

10. Enhance the efficiency of your audit processes. As your businesses revamp and re-engineer their processes to enhance efficiency and cost effectiveness, put internal audit processes to the same test. Look for ways to shorten reporting time, increase the use of technology, and challenge internal audit teams to increase their efficiency.

Source

IIA White Paper (2009).

Companies can also increase the perception of detection by having all reviewers ask questions, “even ones they know the answers to,” McHard says. “That tells employees that someone is looking at what they’re doing.”

Asking your compliance and audit staffs to brainstorm ways to steal from the company can also help assess vulnerable spots, Turner says. “Whatever they come up with, your other employees can also come up with. Test those ideas to see if they work.”

And Chambers suggests that auditors update the risk assessments they use to determine audit plans more frequently, to stay abreast of layoffs and to alert management to potential risks in a timely manner.

Prevention is particularly vital amid tight budgets, since preventing a fraud is far less expensive than investigating and cleaning up the mess after one has occurred. “Companies get caught up in not wanting to spend, but every dollar spent protecting their existing resources has a fantastic return on investment,” Turner says. “Every dollar lost to fraud is a direct bottom line hit.”

That being said, observers say many of the usual fraud prevention rules apply when making cuts. One of the most commonly repeated, and most critical: tone at the top.

“It’s about attitude, not just where money gets spent,” McHard says. “Management should make it known that fraud prevention and protecting the company’s assets is everyone’s job, not just the accounting department.”

Companies can reinforce that message cheaply in a monthly newsletter or an e-mail blast. They should also remind employees about the methods for reporting any suspicious activities and conduct annual fraud training for all employees.

Ratley

James Ratley, president of the Association of Certified Fraud Examiners, says managers should be trained to recognize and report fraud’s red flags, since they typically are (or should be) the first ones to see it and understand the jeopardy. Companies should also demonstrate that fraud and other illegal acts will be punished “swiftly and surely.”

Meanwhile, Turner says leaders have to recognize the pressure that their workforce is under these days. Unemployment is up, health and retirement benefits are down, and economic fears are rampant. “If you leave cookies on the table, you shouldn’t be surprised if the kids sneak a cookie,” he says.

And Chambers advises companies not to forget the potential risk for fraud from outside the organization, such as third-party vendors. “In an environment where your business partners are also under duress recognize that it’s not just employees that might take advantage,” he says.