Successful fraud prevention involves creating an environment which inhibits fraud. Taking immediate and vigorous action if fraud is detected is not only necessary to prevent future losses but also helps deter other frauds. A manager who is alert to the possibility of fraud and who acts accordingly on a day to day basis is a powerful deterrent to fraud.
When deficiencies in the level of control have been identified it is necessary to choose the most appropriate type of controls. Fraud should be deterred wherever possible. Similarly, prevention is always preferable to detection. Strong preventive controls should therefore be applied wherever possible. Detecting fraud is usually more difficult and less certain. Detection measures are established to detect errors, omissions and fraud after the events have taken place. The following range of controls should be considered:
This is a preventive measure which controls or monitors access to assets, documentation or IT systems to ensure that there is no unauthorised use, loss or damage. Assets can range from the computer terminal which sits on your desk to the cheques sent out to pay suppliers. All assets should be held securely and access to them restricted as appropriate. The control should apply not only to the premises but also to computers, databases, banking facilities, documents and any other areas which are critical to the operation of the individual organisation. It may even be appropriate to restrict knowledge of the existence of some assets.
Access to computer systems is an important area which should be very tightly controlled, not only to prevent unauthorised access and use, but also to protect the integrity of the data - the Data Protection Act requires computer and data owners to secure information held on their systems which concerns third parties. The threat to computers can come from both inside and outside an organisation as computer hackers may gain access in order to extract or corrupt information. The computer itself is also vulnerable to theft, both in terms of hardware and software. This type of theft has the additional cost of potential major disruption to the core operations of an organisation.
Individuals or groups need to be allocated responsibilities so that they work together to achieve counter-fraud objectives in the most efficient manner. The major principles are:
- clear definition of the responsibilities of individuals for resources, activities, objectives and targets. This includes defining levels of authority. This is a preventive measure which sets a limit on the amounts which may be authorised by individual officers. To be effective, checks need to be made to ensure that transactions have been properly authorised;
- establishing clear reporting lines and the most effective spans of command to allow adequate supervision;
- separating duties to avoid opportunities for abuse. This is also largely a preventive measure which ensures that the key functions and controls over a process are not all carried out by the same member of staff, e.g. ordering goods should be kept separate from receipt of goods; similarly authorisation and payment of invoices; and
- avoiding undue reliance on any one individual.
Supervision is the function by which managers scrutinise the work and performance of their staff. It provides a check that staff are performing to meet standards and in accordance with instructions. It includes checks over the operation of controls by staff at lower levels. These act as both prevention and detection measures and involve monitoring the working methods and outputs of staff. These controls are vital where staff are dealing with cash or accounting records. Random spot checks by managers can be an effective anti-fraud measure.
This is largely a detection measure, although its presence may have a deterrent effect and thus prevent a fraud. An audit trail should ensure that all transactions can be traced through a system from start to finish. In addition to allowing detection of fraud it enables the controls to be reviewed.
Monitoring and evaluating
Management information should include measures and indicators of performance in respect of efficiency, effectiveness, economy and quality of service. Effective monitoring, including random checks, should deter and detect some types of fraudulent activity. Policies and activities should be evaluated periodically for economy, efficiency and effectiveness. These evaluations may be performed by the management of the operation, but they are usually more effective when performed by an independent team. Such evaluations may reveal fraud.
Adequate staffing is essential for a system to function effectively. Weaknesses in staffing can negate the effect of other controls. Posts involving control of particularly high value assets or resources may need the application of additional vetting procedures.
Asset registers used for management accounting purposes can help detect losses which may be caused by fraud.
Use of budgets and delegated limits for some categories of expenditure and other accounting controls should ensure that expenditure is properly approved and is properly accounted for by the responsible manager. This should limit the scope for fraud and should cause some types of fraud to be detected.
Controls over the development of new systems and modifications to existing systems or procedures are essential to ensure that the effect of changes is properly assessed at an early stage and before implementation. Fraud risks should be identified as part of this process and the necessary improvements in control introduced.
No organisation can function without its staff. Managers should try to ensure that staff have neither the opportunity nor the motivation to commit fraud. Under the right conditions staff are themselves an excellent deterrent against the act of fraud. Managers should therefore seek to ensure that the conditions are right:
Managers should also be alert to any signs that might indicate that fraud is taking place. These may be :
- staff should be vetted as appropriate
- references should be taken up before appointment
- staff under stress without a high workload
- always working late
- reluctance to take leave
- refusal of promotion
- unexplained wealth
- sudden change of lifestyle
- new staff resigning quickly
- cosy relationships with suppliers/contractors
- suppliers/contractors who insist on dealing with one particular member of staff