Whether it occurs in the form of carefully crafted ponzi scams, fudging financial reports or theft from one’s own employer, fraud is reaching alarming proportions and is not without its costs. Businesses and government agencies worldwide suffer hundreds of billions in lost or misused funds, diminished value, and irreversible damage to company reputation and customer trust.

Making matters worse (and no thanks to the economic downturn), many organizations have been forced to cut staff, freeze spending and skimp internal control and process assurance, which has left organizations more vulnerable to risk and fraud.

Now is the time for Internal Audit teams to step up fraud prevention and detection. Here is a quick list of priorities to kick start your program.

1. Build a profile of potential frauds.
Take a top-down approach to your risk assessment, listing the areas in which fraud is likely to occur in your business and the types of fraud that are possible in those areas. Then qualify the risk based on the overall exposure to the organization. Focus on risks that have the greatest chance of reducing shareholder value — for example, processes that affect the extended supply chain such as safety, quality, reliability of suppliers and processes.

Develop fraud risk profiles as part of an overall risk assessment and include necessary stakeholders and decision makers. You’re not likely to make friends throughout the organization by conducting this on your own. For example, if you think fraud is happening with purchasing cards, include the p-card manager in the discussions. That way it’s a joint effort that will benefit both parties and hopefully result in a more comprehensive approach to fraud risks in that area.

2. Test transactional data for possible indicators of fraud.
You must test 100 percent of the data, not just random samples. While sampling may be effective for detecting problems that are relatively consistent throughout data populations, that isn’t always the case for fraud. Fraudulent transactions, by nature, do not occur randomly. Transactions may fall within boundaries of certain standard testing and not be flagged. Further, using the sampling approach, you may not be able to fully quantify the impact of control failures and you may not be able to estimate within certain populations. You could miss many smaller anomalies and sometimes it’s the small anomalies that add up over time to result in very large instances of fraud.

In order to effectively test and monitor internal controls, organizations need to analyze all relevant transactions.

3. Improve controls by implementing continuous auditing and monitoring.
Strengthen controls over transaction authorizations and use continuous auditing and monitoring to test and validate the effectiveness of your controls. Repetitive or continuous analysis for fraud detection means setting up scripts to run against large volumes of data to identify those anomalies as they occur over a period of time. This method can drastically improve the overall efficiency, consistency and quality of your fraud detection processes. Create scripts, test the scripts and run them against data so you get periodic notification when an anomaly occurs in the data.

You can run the script every night to go through all those transactions for timely notification of trends and patterns and exceptions reporting that can be provided to management. For example, this script could run specific tests against all purchasing card transactions as they occur to ensure they are in accordance with controls.

4. Communicate the monitoring activity throughout the organization.
A big part of fraud prevention is communicating the program across the organization. The old adage, “an ounce of prevention equals a pound of cure” rings true for fraud detection. If everyone knows there are systems in place that alert to potential fraud or breach of controls, and that every single transaction running through your systems is monitored, you’ve got a great preventative measure. It lets people know that they shouldn’t bother, because they will get caught.

5. Provide management with immediate notification when things are going wrong.
It is better to raise any issues right away than explain why they occurred later. Create audit reports with recommendations on how to tighten controls or change processes to reduce the likelihood of recurrence. And, don’t forget to quantify the impact to the business. Data analysis technology can quantify the impact of fraud so you can actually see how much it’s costing the organization and provide a cost-effective program with immediate returns.

6. Fix any broken controls immediately.
Segregation of duties is important. If you can initiate a transaction, approve the transaction, and also be the receiver of the goods from the transaction, there is a problem.

7. Expand the scope and repeat.
Re-evaluate your fraud profile, taking into account both the most common fraud schemes and those that relate specifically to the risks that are unique to your organization, and move your investigative lens. Use analytics to find out where controls are not working or are ineffective and don’t forget to look for controls that cannot be governed by application control settings. Investigate patterns and fraud indicators that emerge from the fraud detection tests and continuous auditing and monitoring.

______

For more on how to use data analytics to implement a successful fraud program in your organization, download Peter Millar’s eBook “Detecting and Preventing Fraud with Data Analytics.”

*********************

Peter Millar is the Director of Technology Application at ACL Services Ltd. For the past 12 years, Peter has been involved in the evolution of analytic solutions for audit departments in industry and government. His combination of experience and expertise has helped audit departments in some of the world’s leading organizations to create value-added opportunities by implementing efficient and sustainable audit analytics solutions. He has more than 18 years experience in the high tech industry in various software and systems integration companies. Peter sits on the Advanced Technology Committee of The Institute of Internal Auditors (The IIA) and was a co-author of the “Global Technology Audit Guide (GTAG)-13 – Fraud Prevention and Detection in an Automated World.”

Peter can be reached at peter_millar @ acl.com or on Twitter @PBMillar. Additional commentary by Peter can be found at ACL Services' Business Assurance Blog at: www.acl.com/blog