With the close of fraud prevention month, Oversight wanted to recap our favorite fraud prevention tips. How many of our examples below apply to your organization?
Tip #1 - Know the Early Warning Signs
There are always pre-cursors to fraud schemes, but here are the two we see most often:
1.) Mistakes that go uncorrected- For example, a vendor calls an Accounts Payable department and says, “You guys paid me twice.” Someone in AP makes a note to fix this mistake, but never gets around to it. A few weeks later the vendor calls again. As these errors go uncorrected, it shows others in the organization that no one cares. This failure to fix errors leaves a huge opportunity open for those business hackers within an organization, as they are always looking for holes in a process so they can take advantage of a situation.
2.) Failure to segment errors from misuse/abuse- At first, fraud won’t look different than an error. It is only over time that errors begin to form patterns that alert auditors to fraud attempts. Still, your company has now lost money because you were unable to segment the errors from fraud attempts and it took months or years to see the difference.
The best way to combat this is to know the difference between honest errors, policy misuse, and blatant fraud. Often policy misuse isn’t about personal gain, it can be about getting things done.
Example: Perhaps a customer needs something done ASAP, so a salesperson bypasses policy to meet the customer’s needs. This isn’t deceitful or fraudulent, but it’s also not policy. Who knows whether the next person to bypass policy will be doing it in the interest of company or personal gain. So, in order to create the most effect fraud prevention policy, is really important for companies to figure out why someone has done something non-compliant.
Tip #2 - Don’t assume the data in your system is valid
Back in the non-digital era, there was a lot more control surrounding a company’s data. A lot of people had more contact with a business product and interaction with its output and accuracy because it was a tangible piece of paper. Nowadays many think “Since it is in the system, so it must be fool-proof.”
Example: Every organization has a master vendor file, and it really only changes when a new vendor is added or an existing vendor has a change of information. Many companies don’t log changes in their master vendor files because of the system performance impacts that this logging has. An opportunist could go in, change information for a company, re-route a check to a personal address or bank account, and then change the information back without being detected.
Tip #3 - Don’t assume controls prevent fraud.
Most audit testing is based on a control working 95% of the time. If 95% of the time is the bar, then that still means 5% of the time the controls might not work.
Example: An Accounts Payable Clerk #1 has a main job function of approving invoices for payment. His supervisor doesn’t normally have authority to approve invoices, but takes over when his clerk goes on vacation. Clerk #2 processes all of the checks for approved invoices, but the supervisor also takes this over when Clerk #2 goes on vacation as well. Now when the two clerks are out the supervisor is both approving invoices, and creating payments for them. Do you see the problem? We don’t expect him to perform both functions, but he could fabricate anything and approve it for payment without any oversight if he isn’t monitored. This is a rare occasion, but it still happens.
Tip #4 – Don’t assume modern ERP systems automatically prevent fraud.
Example: An early Oversight client began outsourcing their accounts payable department to a company in India. An executive assistant at the client’s company began creating “ghost” invoices from car services in an attempt to steal money. The AP provider in India was simply entering the orders, and no one there noticed because they didn’t have any knowledge of the area/industry to know which invoices/car services were real. The fraud was only detected once another EA at the company began spot-checking the output and realized the car service invoices weren’t from the regular provider.
Tip #5 - Don’t trust a person who never takes a vacation
This is a classic fraud tip. People who perpetrate fraud often don’t want to go on vacation because someone else will take on their role while they are out, and thus they are fearful of being discovered. Combat this by forcing your employees to use all of their vacation days.