Internal control risks in business include the lack of sound internal control environment, poorly designed business processes, IT security risk, integrity and ethic risk, human errors and fraud risk.
The ACFE (Association of Certified Fraud Examiners) uses the fraud triangle as a model for explaining the factors that cause someone to commit occupational fraud. It consists of three components which, together, lead to fraudulent behavior: incentive/pressure, opportunity and attitude/rationalization.
To better understand fraud risk, we need to understand the fraud triangle below.
Three Components That Lead to Fraudulent Behavior
- The first component of the fraud triangle is incentive/pressure, which identifies what motivates people to commit fraud. For example, if an employee has a large debt caused by gambling issue or alcohol addiction, and the employee is unable to solve these issues and the employee has the incentive to commit fraud to satisfy the personal needs. The “solution” might be stealing cash from company or stealing inventory from company for resale, etc. The incentive also could be “beneficial” to work. Familiar examples are fraudulent financial reporting and misappropriation of assets to cover the poor performance or reach management’s financial goal.
- The second component of the fraud triangle is opportunity, which defines the method to commit fraud. A person must have the opportunity and be able to use the opportunity. For example, when there is no segregation of duties implemented in the cash process, an employee has access to issue, record, print and sign checks, what could happen? The employee could issue a check, record the check as something appearing appropriate, then print and cash the check.
- The third component of the fraud triangle is attitude/rationalization. The majority of fraudsters are most often ordinary people who think of themselves as loyal and honest employees. They tend to justify their wrongdoing to make it acceptable to themselves. For example, if an employee thinks he works hard and deserves more than he is paid, he might commit fraud when there is opportunity and justify the wrongdoing as the company “owes” him.
The fraud triangle is a starting point to understand fraud, but it is not a comprehensive tool for preventing and detecting fraud, because two components of the fraud triangle, incentive/pressure and attitude/rationalization, cannot be easily observed. Of the three components, opportunity is the component over which management and business owners have the most control. Opportunities exist for committing fraud when an organization has a poor internal control system. An effective control system is a critical step an organization can take to prevent and detect occupational fraud.
What Do You Need to Consider Regarding Fraud When Establishing an Effective Internal Control System?
- Enhance fraud awareness in your organization. You receive an email telling you that you have won an iPad and providing you a link to claim the prize. You open the link and find that you need to fill out personal confidential information including SSN and birth date to claim the prize. Does it sound familiar? If you have fraud awareness, you might know immediately that it looks like email scam. Similarly, if an organization puts efforts to enhance employees’ fraud awareness and lets employees know what practices are not acceptable and what consequences will be, the established fraud awareness can prevent and detect occupational fraud to the extent of self-awareness and group-monitoring. Note that sometimes the fraud of being caught is ineffective enough to prevent fraud. Furthermore, enhancement of fraud awareness plays an important role to reduce the risks of two components (incentive/pressure and attitude/rationalization) of the fraud triangle.
- Establish effective preventive and detective controls. When considering fraud, an organization needs to establish preventive controls to prevent fraud from occurring and establish detective controls to detect fraud when it occurs. For example, to prevent and detect fraud on stealing money through checks, an organization can adopt segregation of duties to have one employee to record checks and another employee to issue and print checks, in the meanwhile, a supervisor reviews and signs checks. The segregation of duties is a preventive control and the review is a detective control.
- Establish a responsive program to fraud. A responsive program means the actions taken to correct or remediate the harm caused by fraud. This step is often ignored by organizations. Once fraud has occurred, what should management do? The common response is to terminate the employee who commits fraud. What else? Has management considered why and how the fraud occurred?
- Was it because of weak processes and procedures?
- Was it because of unauthorized access to assets by employee?
- Was it because of the ineffective management review and supervision?
- Did the fraud cause the organization to lose money?
- Does the organization have legal counsel to prepare legal action to fraudsters?
- Does management need to communicate fraud to other employees where necessary?
To terminate fraudsters is not the only response to fraud. Management should identify the cause, communicate fraud to legal, prepare legal action where necessary, correct wrongdoing, remediate harm, and then communicate to the wider employee population that management has taken proper actions.
To help readers to establish an effective internal control system taking fraud risks in consideration, we will provide the top 10 actions your organization could take to prevent fraud. Please click the button below to download the file and let us know when you have any comments and questions.
Emma Zhang is an experienced audit professional, with more than six years of internal audit & Sarbanes Oxley (SOX) compliance focusing on operations, accounting, internal controls and process improvement. Competencies include operational auditing, accounting, management consulting, Sarbanes Oxley (SOX) compliance, audit planning and risk assessments, operational/financial planning and analysis, and data analysis. Emma is a resourceful, creative thinker and analytical problem solver with demonstrated ability to independently manage tasks from planning through execution in dynamic, fast-paced, and time-sensitive environments. Emma is a CPA with a CFE certificate. Emma is also a Blackline Certified Implementation Professional and helps clients to implement Blackline system.