7 min read
September 18th, 2024
The Association of Certified Fraud Examiners (ACFE) has released its latest internal business fraud findings in its Occupational Fraud 2024: A Report to the Nations study. It is the largest global study on occupational fraud and examines nearly 2,000 cases that resulted in more than $3.1 billion in monetary losses.
Key Takeaways
|
With an average loss of $1.7 million dollars and median losses of $145,000, internal fraud presents a significant risk to small and medium-sized businesses. These businesses do not have the resources to withstand sizeable losses and also often lack internal controls, making them the most vulnerable targets.
What Are Internal Controls?
Internal controls are guidelines, policies, and procedures that are designed and implemented to protect a business's assets and reputation in addition to ensuring compliance with applicable rules and regulations.
There are three basic categories of internal controls:
- Preventative Controls - These controls are implemented to mitigate risk and prevent fraud from occurring.
- Detective Controls - These controls are implemented to detect and discover instances of fraud if they still occur.
- Corrective Controls - These are additional preventative controls that are put into place in response to discovered instances of fraud.
Internal control in accounting, physical access, and IT is necessary for reducing internal fraud risk, detecting internal fraud, and shoring up weak spots to strengthen a business against fraud-related monetary losses and reputational damage.
Read More: How to Protect Your Small Business From Fraud
Top 10 Internal Controls to Prevent and Detect Fraud
1. Separation of Duties and Powers
The bookkeeping and accounting department is at an elevated risk of internal fraud due to the sensitive and valuable nature of the data collected and access available. As a result, it is necessary for a financial department to operate with at least three individuals at all times to ensure the adequate separation of duties and powers.
A three-person back-office team ensures one person is responsible for approving invoices, a second person is responsible for writing checks, and a third person is responsible for reconciling the checking account. This ensures that no one individual in the department has too much power, access, or ability to cover a nefarious trail.
Additionally, certain tasks (such as those that involve handling cash) should be performed using dual control with one person counting and the other recording, for example.
2. Access Controls
No one in the back office needs access to everything. Businesses should limit access to its bookkeeping and accounting software systems using customizable login profiles. With these profiles, you can set specific permissions for specific individuals so that everyone has access to the information, reports, and tools they need and nothing more. In addition to helping reduce the risk of fraud, these limitations also help to protect the integrity of your business's financial data by reducing user errors.
3. Password Policies
Your business must have enforced password policies in place. Of course, employees should be prohibited from recording their passwords anywhere or sharing them with anyone. This is to maintain the integrity of the access controls you have established. It is also prudent for businesses to require mandatory password changes on a set schedule to help increase security.
4. Physical Controls
Physical controls help to limit access to sensitive information or valuables that could be accessed physically. For example, your company's network room should be locked at all times. You should deactivate any USB ports on computers that are not physically secure (i.e. located in a locked office). Additionally, check that your offices are secure from the outside and that no computer screens are visible from street-level windows.
If you have a remote office, you should limit the amount of sensitive information that employees can access from their home networks or take precautions to ensure they are using a secure internet connection and have established a physically secure home office space.
5. Cybersecurity
Your business should have an internal IT expert or work with an outside IT consultant to ensure your network and data are protected against cyber threats. This should include a firewall, secure internet connection, and updated operating systems, browsers, and software. Using cloud-based bookkeeping and accounting software in addition to other cloud-based tools can help you keep up with updates because these systems update automatically, ensuring that users are always plugged into the most secure version.
Read More: Cybersecurity Precautions CEOs Need to Take Now to Avoid Lost Profit
6. Training and Testing
Hold regular security meetings with your employees to ensure they understand the internal controls that are in place and know how to follow them. You should also perform random tests. These can be performed internally or a third-party security consultant can help you test your employees anonymously to evaluate your business's risk.
7. Physical Checks
Perform routine physical checks to detect possible signs of fraud. These checks include activities like counting your inventory, balancing your registers (at the beginning and end of any shift or individual's access in addition to at the end of the day), and tracking and counting petty cash.
8. Account Reconciliations
All transaction records should be promptly reconciled with their corresponding account statements. Any balance or transaction discrepancies must be examined and resolved as soon as possible.
9. Accept Anonymous Tips
Forty-three percent of fraud cases are detected by tips from employees (52%), customers (21%), and vendors (11%). Creating a system for receiving tips anonymously could help your organization detect fraud. The most successful and frequently used mechanisms for tips are web-based submission forms (40%), a designated email account (37%), and telephone hotlines (30%).
10. Routine Audits
Conduct routine audits of your accounts. These can be performed internally, but it is often more helpful to hire a third-party financial auditor to perform an audit and examination of your business's bookkeeping and accounting department in addition to a third-party IT professional to test and evaluate your cybersecurity protocols. These types of audits will increase the chances of detecting fraud early on in addition to helping you identify potential weaknesses in your policies and procedures that can be addressed with corrective controls before any fraud occurs.
You trust your bookkeeper, but what if...
Take precautions now before it's too late.
👉Download your copy!
Internal Controls Best Practices
More than half of internal fraud instances occur as a result of lacking internal controls or the override of existing internal controls. Follow these best practices to put internal controls into action in your business and ensure everyone sticks to them.
Use Internal Controls Accounting
Internal control accounting refers to a method of accounting that uses sound mechanisms and procedures to ensure limit fraud risk while ensuring the accuracy and validity of financial statements.
Set an Example
Business owners, CEOs, and other individuals in leadership positions might be tempted to bypass internal controls to save time or work more efficiently. This, however, undermines the entire system. It sets a bad example for everyone in an organization, shows that leadership doesn't value internal security and controls, and reduces the efficacy of the controls you put in place.
Document Your Policies
All internal controls, security protocols, and procedures must be documented. These can exist in an employee handbook or an official training document.
Assess and Update Policies
If you have detected fraud in your business, then you must determine how the fraud occurred and put new, additional, or revised preventative controls in place. Even if you have not detected fraud, you should routinely assess your preventative and detective controls. Look for weaknesses and oversights or new business functions that are vulnerable under your current set of rules.
Enforce the Controls
Internal controls must be enforced. Setting a good example of following internal controls and appropriate procedures will create a workplace culture where security and rule-following are valued. This will help encourage employees to hold each other accountable. Department leads should also be on the lookout for individuals who bypass internal controls and take quick action to respond, reminding them of the policies, issuing a warning, or taking corrective action.
Read More: How to Avoid Having a Single Point of Failure in Your Business
Reduce the Risk of Business Fraud With an Outsourced Accounting Department
Outsourced accounting is an excellent strategy for strengthening your business's internal controls. Working with an outsourced bookkeeping and accounting provider gives you access to expert controls and an entire team to manage your back office function. As a result, you'll be operating with secure financial tools and technology in addition to a highly qualified and credentialed team of financial professionals who can help you improve and implement strong preventative and detective internal controls to reduce the risk of fraud in your business.