Many businesses had to go into survival mode because of the macroeconomic challenges of the COVID-19 pandemic. For some companies, that meant rapidly changing operating procedures to satisfy changing customer preferences, often without sufficient time to immediately set up appropriate internal controls.
While carrying out in-depth internal control checks could "slow down" the business in this time of intense pressure, these checks are necessary to protect the company from internal and external fraud.
Fraud losses can be significant, and at times of financial stress, losses need to be kept to an absolute minimum. An investment in proper controls could save a lot more down the line, and accountants can help quantify the risk.
Here are several potential fraud risks and advice for establishing internal controls to address those risks.
Weak business partner screening
In the race to keep up in a rapidly changing and constrictive environment, internal controls, especially those related to screening of third parties, such as customers, agents, and vendors, may be overlooked. This could expose companies to an increased counterparty or compliance risk.
For example, sales representatives might be tempted to agree to unfavorable terms and conditions to secure scarce sales. Potential new customers with less stringent internal controls, which may have once been deemed too risky from a compliance perspective, are now dealt with because "they are customers."
Ensure that the internal controls around third-party screening are strong by reassessing your screening procedure and adapting it for an increasingly virtual world. Some controls that were carried out before the pandemic, such as visits to third parties' premises or personal meetings with key personnel, cannot be carried out in the same way because of reduced mobility. Instead of skipping these controls, substitute them with pandemic-friendly controls, such as conducting video tours of third-party premises and increasing the number of virtual checkpoints with the personnel of the third party.
Avoid skipping controls or cutting corners when performing compliance checks such as sanction checks, adverse media screening, know-your-customer procedures, ownership structure analysis, credit checks, and business references review. Always perform these controls before engaging in any contractual obligation with the third party.
Meanwhile, procurement departments might also be inclined to skip some of the regular vendor checks in situations where a regular vendor cannot deliver on time and a substitute supplier is needed immediately. In situations with high time and delivery pressure, the procurement department might be tempted to shorten the usual process by cutting out some critical controls. For example, fraudulent companies might approach the procurement department requesting prepayments in advance of the delivery of the goods or services and then disappear without providing the agreed service or not delivering the material. Or employees working in the procurement department under financial stress might be susceptible to bribery.
In this context, companies should enhance scrutiny over new vendors that request significant prepayments ahead of providing any service or delivery of supplies. Organizations should also watch out for new vendors, particularly those without significant business relationships, and conduct open-source research to ensure that the vendor is not a known fraudster. Finally, if the planned spend is significant, consider hiring a company that specializes in conducting company background checks.
Organizations should also stay abreast of the latest fraud schemes by reading official government websites and dedicated resources, such as the AICPA's FVS Eye on Fraud newsletter. Fraud red flags should also be communicated regularly to employees and be included in training.
Internal fraud risk
Increased personal pressure, such as financial difficulties, stress, and difficulty coping with the virtual environment, could lead to an increased risk of fraud. Employees working remotely who aim to defraud the company have time to do so and are out of sight. Furthermore, they have access to company systems, which, if not adequately controlled and restricted by strong segregation-of-duties and access controls, could present several opportunities for internal fraud.
To help minimize the risk of internal fraud, keep in touch with your colleagues and be aware of what is going on in their lives. Ask questions exactly as you would if you were all working in the office. In your communication, emphasize that the company needs to have strong internal controls in place, even more so, in a remote-work environment. The perception of control is an excellent deterrent for fraud and can be leveraged to prevent internal fraud.
The COVID-19 crisis has accelerated the digitalization process for many organizations. Some had already invested in the technological infrastructure and were ready to run their businesses digitally when the pandemic hit.
However, other companies were not ready and had to set up digital processes without sufficient preparation, investments, skills, and time. Virtual processes that launched quickly, and under pressure, may not have been designed with robust internal controls embedded. Poorly designed processes without compensating internal controls might open up opportunities for fraud.
For example, if a company did not already have an IT system able to support invoice approval workflows, undoubtedly it would be challenging to implement the process quickly from scratch. This challenge might lead the company to opt for more flexible but looser control systems, such as invoice approval via email (easy to modify) or signatures on scanned invoices (prone to forgery).
To minimize risks from increasingly digital processes, review existing processes to identify pain points and redesign them to ensure that they are practical and achieve adequate internal controls. Within the organization, take time to establish and communicate ground rules on implementing such internal controls to ensure consistent oversight and easier identification of suspicious activity.
About the author
Cecilia Locati, FCMA, CGMA, is the founder of Internal Control Toolbox and vice president of risk, compliance, and internal audit for RHI Magnesita.
To comment on this article or to suggest an idea for another article, contact Drew Adamek, a JofA senior editor, at Andrew.Adamek@aicpa-cima.com.
- "Preventing Disaster Fraud," FVS Eye on Fraud, Winter 2020
- "How CPAs Can Fight Fraud in the COVID-19 Pandemic," JofA, April 6, 2020
The Certified in Financial Forensics (CFF) credential positions forensic accounting professionals for increased demand in one of the fastest-growing specialty areas for CPAs. To become a CFF credential holder, the CFF Roadmap serves as a step-by-step guide illustrating how a CPA, at any level of expertise, can utilize the resources provided to FVS Section members to embark on the journey of obtaining the AICPA's CPA-exclusive forensic accounting credential. For more information, visit aicpa.org/membership/join/credentials.html.
For more information or to make a purchase, go to future.aicpa.org/cpe-learning or call the Institute at 888-777-7077.
PUBLICATION: This guide provides implementation guidance that defines principles and points of focus for fraud risk management and describes how organizations of various sizes and types can establish their own fraud risk management program.
CPE SELF-STUDY: This CPE course provides you with the technical knowledge required for the CGMA exam related to strategic management accounting. It focuses on control environments, identifying weaknesses and compliance failures, identifying controls to manage risks, and the costs and benefits of maintaining the internal control system.
Revenue and Cash Receipts: Common Frauds and Internal Controls
WEBCAST: This webcast covers the common types of fraud in the revenue and cash receipts processes so you can gain a better understanding of internal controls that can mitigate various risks, and develop an analytical process to ensure efficient and effective risk management.