Businessman Pocketing Cash

While even the best control structure sometimes cannot prevent fraud, there are some simple steps that financial institutions can take to help reduce their risk of internal fraud.

Reducing risk

Minimizing Internal Fraud at Your Financial Institution

  • 11/18/2014


When performing independent financial statement audits of financial institutions, all independent auditors are required to ask management about its knowledge or suspicion of any fraud.

Many clients have said, “We have a great control structure,” “Our ‘open door policy’ and ‘tone at the top’ really set a great example for employees,” or “We have a very experienced staff that has been together for a long time; I just don’t have any concerns.”

While this is an accurate and perfectly reasonable response a majority of the time, occasionally we will run across concerns about fraud from staff. Therefore, it’s important for management to maintain a level of skepticism with all employees.

Although there are instances where even the best control structure may not have prevented the fraud, there are some simple steps that can help reduce the risk of fraud.

Ensure your internal audit department remains independent

When a timely internal audit testing is performed in accordance with the audit plan and is reported directly to the board of directors, this independent review can play a significant role in fraud prevention. It is important to remind internal auditors that, while there may be instances where other employees may assist with testing, those employees should not have responsibilities in the area they are testing in order to remain entirely independent.

Stay on top of your IT security

Network security is an obvious concern for all institutions. It seems as though every day there is a new IT related fraud announced because the network has been breached. Whether it’s a phishing attempt, malware infecting your network, or a spoofing attempt, these external threats need to be monitored and addressed.

However, it is also important to monitor internal access as well. User access rights should be periodically reviewed to ensure employees only have access to portions of the network and applications that fit their business responsibilities.

A policy is not the same as a control

Many institutions have policies requiring certain controls to be placed on employees. For example, nearly all institutions prohibit employees from processing banking transactions on their personal accounts. While this may be the institution’s policy, many core processing systems do not restrict these transactions. Therefore, if an institution is not monitoring employee accounts, there really is no control in place.

These are just a few simple reminders that can be used to help prevent internal fraud at a financial institution. If your institution would like additional fraud prevention tips, CliftonLarsonAllen provides a range of services to assist financial institutions with enhancing their internal control environments.