July 9, 2014

Although internal controls are designed to protect a company against fraudulent schemes by its employees, these controls often prove to be ineffective when senior personnel are involved.

Owners and top executives are able to act out of sight of other employees, who might otherwise become suspicious about unusual conduct. Moreover, senior personnel are usually the very persons responsible for ensuring that the internal control structure functions properly.

As such, in some organizations, they may operate without meaningful oversight except by one another. When the corporate watchdogs act together to defraud the company, it is difficult for those on the inside to detect the fraud or to stop it.

glassesFraud committed by owners or executives takes far longer to detect and is for far greater amounts, according to the latest biannual report of the Association of Certified Fraud Examiners (ACFE).

The median amount stolen by executives worldwide was $573,000 in the ACFE’s 2012 report, down from the 2010 median amount of $723,000 and 2008 total of $834,000. In the United States, the median amount was $373,000 compared to $4 million in Asia.

Those numbers are more than three times as much as mid-level managers steal and 10 times as much as regular employees steal.

Approximately 18 percent of all on-the-job theft in the United States is committed at the highest levels of the company, while 38 percent of frauds are conducted by mid-level managers and 42 percent by employees.

The type of fraud most often perpetrated by upper management is corruption, which includes conflicts of interest, economic extortion, bribery and illegal gratuities (53 percent), followed by billing fraud and expense reimbursement fraud.

It typically takes 24 months for a crime by a top executive at a company to be detected, while crime by a typical employee is usually found in about 12 months.

The reason: Perpetrators with higher levels of authority are typically in a better position to override controls or conceal their misconduct. There may also be a reluctance on the part of employees and anti-fraud personnel to lodge complaints about or to investigate those with higher levels of authority.

For very small companies, it is difficult to construct an effective internal control structure because management consists of a very small group of people, or even a single person.

If management is the problem, there is no one for an employee who discovers or suspects fraud to go to other than the authorities. This decision may carry some risk. Having at least one director or investor who is not involved in management gives an employee who suspects fraud somewhere to go.

Employee tips and management reviews are the primary detection methods for most employee fraud. But at the executive level, a strong internal audit function may be the best guard against employee thefts. According to the ACFE report, 14 percent of all fraud is detected by internal audit.

An internal auditor, or even an external auditor, who comes in periodically to review all company transactions, provides a mechanism by which fraud can be detected and reported. For the audit function to be effective, procedures must be established so the auditor has access to documentation relating to all transactions. In addition, there must be procedures for safeguarding those documents from alteration or destruction.

Preservation of the documents in electronic read-only form is perhaps the most effective method, particularly with a system that keeps a record of when the document is created and when any attempts at modification were made.

Creating the internal audit function and assuring preservation of and access to key information is only part of the job. It is equally important to assure that the auditor has someone to report to, either within the organization or outside.

When there is a non-management director on the board, or where an effective audit committee exists, the auditor must have the authority to report any suspected irregularities directly to that person or committee.

If there are no independent directors, the internal auditor should still have the authority to report to an outside investor or oversight committee if necessary.

While some companies will prefer to hire their own internal auditor, a CPA can be engaged to act as the “external” internal auditor. Independence rules will generally require that the CPA who performs the external audit not also be the organization’s financial statement auditor.

Every accountant who audits financial statements knows that detecting a collusive fraud is difficult at best. The creation of an internal or external audit function to oversee a company’s transactions and financial record keeping as they are occurring can be a vital step in assuring that the system of internal controls is not frustrated or rendered ineffective from within.

This article was originally posted on July 9, 2014 and the information may no longer be current. For questions, please contact GRF CPAs & Advisors at marketing@grfcpa.com.