By Dr Marios Menexiadis CPA, CPIA Prof.post GRC, Professor Dr at Berlin School of Business and Innovation (BSBI).
Dr Christos Lemonakis CPA, CMA, Professor Dr at Professor Dr at Berlin School of Business and Innovation (BSBI).
Detecting and preventing fraud is one of the biggest challenges of our times. There are many different types of fraud as well as theft, that consequently require different methods of detection and prevention.
Research has shown that fraud is often committed by more senior positions in the management hierarchy. However, almost every department of a company faces the risk of its employees committing fraud.
The question arising at this point is, why do employees commit fraud? Is it just because of the personal benefit, because of the sense of achievement in breaking or overcoming the system?
Vendor fraud can be committed by employees who act alone or by colluding with vendors. Types of vendor fraud may include billing schemes, bribery and kickbacks, check tampering, overbilling or price fixing.
Accounting fraud happens, when an employee manipulates the company’s accounts to cover up theft or uses the company’s accounts payable and receivable to steal for their own benefit. Accounting fraud may include embezzlement, accounts payable fraud, fake supplier, personal purchases, double check fraud or accounts receivable fraud.
Payroll fraud is theft from an employee via a company’s payroll system. It may include ghost employee schemes, advance fraud or timesheet fraud.
Asset misappropriation is the theft of company’s assets by an employee, which is also known as insider fraud. It includes check forgery, check kiting, check tampering, inventory theft, theft of cash, theft of services, expense reimbursement, expense account fraud, procurement fraud, payment fraud, workers’ compensation fraud, commission fraud or personal use of company vehicle.
Fraud, as bribery and kickbacks, can cause more damage than the finance since this can deter business or affect the stock price. These frauds can include bribes, kickbacks and shell company fraud schemes.
Data theft can be disastrous for a company that relies on its intellectual property for its product or service. It can also compromise marketing and sales efforts or put the company in a precarious position with authorities when personally identifiable information is stolen (GDPR breach). Data theft may include trade secret theft, theft of customer or contact lists, theft of personally identifiable information.
Fraud detection and prevention
The big challenge is to find ways to discover the fraud. Fraud detection requires various methods depending on the type of fraud that the internal auditors attempt to detect. However, the biggest challenge is to find ways to prevent fraud before it is committed, meaning that a series of preventive controls should be in place. The internal auditor can be a very useful tool, who can add value to a company’s control system, through the various checks that they can perform, but the ultimate responsibility lies on management for the development and application of preventive controls.
With regards to detection of vendor fraud, the internal auditor could conduct random audits of vendor files, verify the vendor’s business name, tax number, phone number, address, bank account, compare vendor’s addresses with employee addresses, review the vendor master file. On a prevention level, controls applied by management may include the proper segregation of duties between the check preparer and check signer, or to rotate duties of employees in procurement.
With a view to detecting accounting fraud, the internal auditor could conduct random audits of accounts payable and accounts receivable records. On a prevention level, controls applied by management may include proper segregation of duties between the functions of account setup and approval, an outside contractor to review and reconcile accounts at regular intervals, to rotate duties of employees in accounts payable and accounts receivable, set up an automated positive pay system to detect fraud.
With regards to detecting payroll fraud, the internal auditor could reconcile balance sheets and payroll accounts on a frequent basis, perform data analytics on payroll records to search for matching addresses, names and bank accounts, or check payroll records to ensure terminated employees have been removed from the payroll. On a prevention level, controls applied by management may include managers to approve timesheets and overtime claims, mandatory vacations for payroll employees, restriction payroll department employees to modify pay rates and hours, as well as to separate the tasks of preparing payroll checks and reconciling payroll account.
With a view to detecting asset misappropriation, the company’s internal auditor could perform background checks on employees, implement checks and balances or perform random audits of company’s accounts. On a prevention level, controls applied by management may include proper segregation of duties between the function of the check preparer and the check signer, the rotation of duties of accounts’ employees, proper protection of checks, commissions to be paid only after goods and services have been delivered, or to develop a whistleblowing channel.
With regards to bribery and corruption prevention, controls should include the development of a code of ethics, assurance that those at the top levels set an example that makes it clear that bribery and corruption are not tolerated, conduct of a risk assessment to look for areas to watch more closely as well as training of employees on bribery and corruption prevention.
Finally, with regards to data theft, prevention controls could include a number of measures. Restriction of access to company proprietary information to only those who need it in the course of their jobs, set up of IT controls to alert management of large data downloads or transfers or downloads and transfers that occur at odd times would provide a sensible monitoring approach. Moreover, purchase of software that alerts management of suspicious activity on a company network, shredding documents and removing data from electronic devices before redeploying or disposing of them would also improve the ability to prevent fraudulent attempts.
Experience has shown that fraud cases need an average of one year and a half before being detected. Imagine the type of loss your company could suffer with an employee committing fraud for a year and a half. So small gestures, such as recommending the use of strong passwords for all computers and devices that can access sensitive information or implementing a clean-desk policy that prohibits employees from keeping sensitive information on their desks while they are not present, would indeed help to ensure the safety of business activities. The most important thing is to build a positive culture with a shared interest in protecting the business from within. Building the appropriate culture is maybe the best control, but it takes a life not just to build it, but to live with and certainly it starts from the top management.