Fraud has become something of a hot topic in the audit realm at present, although an argument could be made it should always be a hot topic!
Indeed, the week this article was being drafted another story broke and another auditor was fined. This case concerned work around a fraud which had actually been detected, rather than a fraud which had been missed as has been the case in most of the memorable examples of the past few years, Patisserie Valerie and Autonomy to name a couple.
The term “fraud” itself can mean a variety of different actions in practice, but fundamentally it means a deliberate action which results in an entity’s financial statements being misstated.
Types of fraud
In an accounting and auditing context there are two main types of fraud – fraudulent financial reporting and misappropriation of assets.
For both types of fraud, they can occur with or without collusion. Generally, although not always, fraud involving collusion is harder to detect.
Looking in more detail into the types of fraud which can occur, these can be further divided into two categories, being fraud perpetrated by people outside the business and fraud involving deliberate acts by people inside the business.
Most fraud leading to business failure or significant losses tends to be orchestrated by people working within the business.
For example, this can involve manipulating revenue recognition policies in order to inflate results, or using off-balance sheet entities which are not consolidated into a business and obscure the true cash position by hiding debts.
At a lower level internally, these can involve simple theft, such as employees removing stock and selling it themselves, or creating fake invoices or employees and transferring funds to themselves.
Something we are also seeing increasing frequently now, is fraud involving third parties duping staff into making incorrect bank transfers.
How fraud occurs
Generally fraud can be said to occur due to a lack of appropriate controls, or a failure in existing controls being exploited.
The importance of appropriate controls (and indeed strong corporate governance) cannot be overstated when it comes to tackling fraud.
It is very easy for a lax control environment to arise if, for example, a business goes through a period of sudden growth and the control environment is not upgraded to keep up with the increased volume and/or complexity of transactions.
The attitude to controls within a business can also give rise to an environment where fraud is enabled; this is generally where a failure of existing controls can occur.
The most common situations where this happens are where either the control involves “checking” and the person carrying out the check does not actually do it or does so in a cursory fashion, or where a trusted employee is allowed to override controls repeatedly.
How to reduce the risk of fraud
As noted earlier in this article, fraud involving collusion can be very difficult to detect and it should be no surprise therefore it is also difficult to prevent, without making the controls very cumbersome to apply. Even then, it can never be completely prevented. As such, this type of fraud risk is very difficult to reduce.
Risk of fraud by individuals acting alone can be reduced in various ways.
Often simple methods can be very effective, such as applying the “four eyes” principle, where important documents or transactions are reviewed by someone else within the business before execution. Knowing that another person will be reviewing an invoice, or a payment, or a calculation, can act as a deterrent to the fraud being instigated in the first place. Separation of duties is also key, although can be difficult to implement for smaller businesses.
Beyond that, strong controls over ordering, payroll changes and bank payments are essential in reducing the risk of fraud.
For example, most business now process all payments electronically – the key consideration here is who needs to be able to set up a new supplier, or amend a supplier’s bank details? Who can approve payments and who can only generate the initial payment?
Allowing any member of staff to both set up and approve their own payments increases the risk of fraud occurring at some point. The person permitted that authority may be entirely trustworthy, but what if they have a period of long-term sickness and someone else covers their work temporarily, or they leave the business and their replacement inherits the same “profile” settings? Will this be remembered, at what may be a very stressful time for the finance or management team?
Similar examples could be found within payroll operations, not just where payroll is managed in-house, but also in certain circumstances where payroll is outsourced, particularly if payroll payments are still made internally.
Every business is different, so although there are certain general principles which can be widely applied, it is important for controls to be tailored to a specific business at a specific point in time.
We are always more than happy to offer our thoughts on ways to reduce fraud risk, so if you would like to discuss this in more detail then please do get in touch.
Photo by Christin Hume on Unsplash