There are organizations of all sizes and types; international, local, family-owned, corporations, limited liability companies, individuals, governmental, etc. The common denominator is that there is no shareholder and/or manager of any organization that would want to be a victim of fraud, of any type and any size. Aaron Rodriguez, an expert in business planning to optimize company resources, explains how fraud prevention can be achieved through internet controls.
Recent surveys show that eight out of ten companies have suffered fraud in the last year and that 61% of the scams were detected by internal controls, but only 12% of the respondents, despite having suffered fraud, took preventive measures. Many today are asking what are the controls that prevent fraud. The best answer is not a list of controls to implement, because all the activities related to the Sarbanes-Oxley Act regulatory framework and equivalent regulations have taught that you can have a very complex system of operational level controls, but without proper monitoring and tone from management, those controls can be evaded. It is enough to know them in-depth to find the weak point.
As an example, we can look at public bids, where many are reviewed by the respective government agencies and found to be in full compliance with the corresponding laws and regulations; however, it is not clear whether there was any corruption in the process, for which there is no simple answer; that is, no one can say absolutely no.
As a result, it is necessary to take a step back and look at the organization as a whole, as well as to find a way to manage the risk of fraud with a vision that goes from the general to the particular. Experience has shown the effectiveness of fraud prevention and deterrence measures that focus on a cultural change of the employees in the organization.
Rodriguez states, “Mitigating the risk of being a victim of fraud requires a system of activities and controls that, as a whole, reduce the probability of fraud and misconduct occurring, but at the same time maximize the possibility of detecting them, before they mean significant economic loss.”
The main objectives of a comprehensive fraud risk management program are to prevent, detect and respond to fraud and misconduct in the company. All companies are susceptible to some type of fraud since when there is collusion and intent, it is difficult to detect and stop it. Despite this, it has been seen that this risk is substantially mitigated when companies have a comprehensive program that combines cultural change mechanisms with internal controls in business processes.
An adequate risk management system must be based on a solid corporate governance structure. Everyone in the organization plays an important role in the supervision and monitoring process, including the Board of Directors, the Audit Committee, management, and internal auditors.
A comprehensive fraud risk management program should start with assessing what these risks are in the organization and rating them by likelihood of occurrence and magnitude of impact. Adds Rodriguez, “The process needs to be appropriate and tailored to each organization, as there is no common inventory or menu of fraud risks from which to choose what applies to you. Therefore, it is recommended to consider both external factors that create fraud risks: product substitutes, changes in the industry and economy, changes in legislation, customer needs and expectations, etc., and internal factors, such as incentives and pressures on employees, low morale, new systems, new products and staff turnover.”
On the other hand, there is the way policies and procedures are communicated, as well as the ethical values of the organization. The communication of values should not be a dead letter, but rather dynamic documents that allow employees to learn about management’s perception of the values, which they want to apply at work and in daily activities within the organization.
In addition, controls over information systems, such as safeguards, backups, access controls (passwords), etc., should be considered. When an employee engages in misconduct, he or she will intend to destroy evidence, and if the system is not working properly or there are no adequate backup policies, the destruction of that evidence is imminent.
The emphasis of effective and responsible corporate governance should be on deterring crime or misconduct. The investigation of fraud, abuse, and the error should not be the primary interest of senior management, as this is a reactive rather than a proactive position. Their primary focus should be on strengthening effective corporate governance, based on a risk control system that prevents abuse of trust and reduces the likelihood of error and deception.
Organizations need to stop seeing internal control as a long list of unrelated “locks” that create the perception of over-regulation or bureaucracy, but rather as a complement to a cultural change, i.e., a combination of the necessary controls or locks, according to the risks, involvement, and tone of management on ethical and value issues. Only in this way will concrete measures be taken to improve trust in companies and work towards the protection of their assets.