Developing a strong fraud-mitigation program

Recessions give rise to innumerable challenges to business operations, not the least of which are growing instances of fraud.

As the economic challenges caused by the COVID-19 pandemic drag on, business owners are at increased risk of fraud and embezzlement, with all its associated costs. Indeed, LexisNexis recently reported that the cost of fighting fraud is set to increase 7.3% due to the coming surge of fraud.

Prudent managers will seek to root out fraud risk before the cost becomes prohibitive. CPAs, particularly those who specialize in forensic accounting, are uniquely positioned to help business owners implement fraud-mitigation plans and minimize pandemic-induced malfeasance.

The following practices can aid in creating an effective fraud-mitigation plan.  

Assess risk. The first step to mitigating fraud in your organization is to establish a fraud risk assessment plan. Once management identifies and understands the risks to your business and internal control weaknesses, further steps can be taken to minimize loss.

According to Ari Ginsberg, CPA, manager at New York-based CFO consulting firm CFO Squad, there are several elements to a fraud risk assessment plan.

“The first step is to identify any possible fraud schemes,” Ginsberg said. “These can include fraudulent disbursements, undisclosed relationships, revenue recognition schemes, manipulation of liabilities and expenses, inappropriate journal entries, and improper reporting and disclosures.”

Once potential fraud schemes are identified, Ginsberg explained, the next step is to identify which anti-fraud controls are currently in place and how effective they are at actually preventing fraud. Next, ascertain the likelihood of a fraudulent event and the impact on your organization. Finally, appoint a responsible party to oversee and monitor anti-fraud controls.

Segregate duties.  An effective fraud mitigation plan will include a requirement to separate duties between multiple parties. “The segregation of incompatible duties is key to the reduction of fraud,” said Kevin Hyams, CPA, partner in charge of Friedman, LLP’s Governance, Risk and Compliance Services practice. “Segregating the functions of initiating, authorizing, and recording of transactions is fundamental to effective fraud control. Where appropriate segregation of duties is not practical or feasible, mitigating controls may include reconciliations, supervisory reviews of audit trails and rigorous management oversight.”

Hyams pointed to the AICPA’s recently released “Examples of Controls in Small Entities,” which provides internal control guidance to small businesses. “The AICPA guidance includes multiple examples of ways to segregate duties, in recognition of its importance to a fraud mitigation program,” he said.  

Manage workflow. One of the challenges most organizations currently face is that an increasing number of employees now work from home, which can give rise to a host of organization headaches. “In the current environment, workflow is harder to manage,” said Hyams. “Because of COVID-19, white-collar professionals are more likely to be working from home than in the past. In this unfamiliar environment, workers who can no longer walk over to their supervisor’s desk are less likely to include proper supporting documentation, and their supervisors are more inclined to overlook it.” Hyams explained that there is a much heavier reliance on email as an authorization method than in the past. Supporting documents that are normally appended to workflow are often omitted from email authorization requests.

“It is absolutely essential,” Hyams said, “that organizations mandate the attachment of supporting documentation to email authorization requests.”

Unethical employees may take advantage when managers authorize transactions via email even if the proper documentation is omitted. It is therefore crucial that any fraud-prevention plan mandates that supporting documentation be included in email requests, and that requests are not approved unless proper documentation is included.

Reconcile everything. The regular review of transactions is an effective way to combat fraud. In the chaotic business environment engendered by the pandemic and the accompanying economic uncertainty, it is easy to overlook the financial record review process. Oversights of this kind can create opportunities for employees to take advantage and misappropriate assets, since business managers are more likely to be focused on ensuring business survival than on the routine review of the books.

According to Hyams, reconciling books and records is an effective way to fight fraud. “Good fraud prevention requires the regular reconciliation of accounts performed by one individual and reviewed by another,” said Hyams. “Businesses should take care to conduct regular bank reconciliations and also to reconcile subledgers to the general ledger.” Hyams cautioned that the reconciliation process should be monitored by a member of senior management for maximum efficacy.

Paul Miller, CPA, managing partner of the New York City-based Miller & Company, LLP, concurred. One of Miller’s clients, the owner of a $15 million enterprise, approached Miller with reports of cash flow problems. Miller reconciled the company’s records and discovered that the bookkeeper had stolen $5 million from the firm. Miller’s client immediately contacted law enforcement and began litigation proceedings. “My client did not regularly reconcile his books,” Miller explained. “If he had, this entire episode may have been avoidable.”

Establish bank authorization protocols. Hyams suggested organizations instruct their banks to adopt a dual-authorization policy when it comes to monetary withdrawals. “All money transfers above a certain threshold through banking organizations should involve a callback to an authorizing individual,” he said.

Hyams said this practice can be easy to overlook in a work-from-home environment, which is why increased vigilance is necessary. “It is critical that banks be instructed to only release funds under dual authorization,” he said.

Fraud is not the sole purview of low- and mid-level staff, Ginsberg pointed out. He tells his clients to ensure that even members of senior management are not authorized to withdraw funds without dual authorization. “Lower-level employees are often hesitant to challenge their superiors,” Ginsberg said. “That’s why it is important to make sure any fraud mitigation program factors in management activity.”

Look out for red flags. According to Ginsberg, fraud mitigation programs should be able to flag indicators of potentially fraudulent activity. Ginsberg explained, by way of example, that journal entries posted at irregular times may indicate suspicious behavior. “If a journal entry was created over the weekend or during a holiday, it might be a sign that someone is creating a fictitious transaction, perhaps to overstate revenue,” he said.

Another red flag Ginsberg mentioned is large transactions posted toward the end of the year. “In an environment where there is a lot of pressure to demonstrate a high volume of sales many organizations are tempted to post fabricated transactions at year-end in order to pad their income statement,” he said. “A strong fraud prevention program will be able to identify this type of activity.”

— Joshua Wiesenfeld, CPA, is a financial investigator at Labaton Sucharow LLP. To comment on this article or to suggest an idea for another article, contact Drew Adamek, a JofA senior editor, at Andrew.Adamek@aicpa-cima.com.