Internal controls cannot completely prevent fraud, but they greatly reduce the time it takes to detect it.
In its 2012 Report to the Nations on Occupational Fraud and Abuse, the Association of Certified Fraud Examiners (ACFE) estimated a typical organization loses 5 percent of its annual revenue to fraud. At a time of reduced revenue and rising costs, a 5 percent reduction in the bottom line demands attention.
From 2010 to 2012, state and local governments jumped from third place to second place in the relative frequency of fraud, according to the report. This is a disproportionate increase in the frequency of frauds at state and local government levels. The report said the three most common government fraud schemes are:
| Scheme | Average Duration in Months | Average Loss |
|---|---|---|
| Corruption (an employee that misuses influence, e.g., conflicts of interest, or a bid rigging or kickback scheme) | 18 | $250,000 |
| Billing (e.g., fictitious or inflated invoices or personal purchases | 24 | $100,000 |
| Noncash (e.g., theft or misuse of noncash assets) | 12 | $58,000 |
According to the ACFE, more than 80 percent of offenses are perpetrated by individuals in departments where key employees work (42 percent), such as accounting, operations, and purchasing, or by upper management (38 percent).
The report also cites the primary internal control weaknesses underlying these reported frauds. The three most common are:
| Internal Control Weakness | Percentage of Cases |
|---|---|
| Lack of internal controls | 36 |
| Override of existing controls | 19 |
| Lack of management review | 19 |
While internal controls cannot completely prevent fraud, they greatly reduce the time it takes to detect it. The success of any internal control structure begins with access controls that match each individual’s duties.
Here are seven steps government entities should take to help prevent fraud.
- Set a positive tone at the top. An excellent way governing boards and upper management can create a culture of accountability is by writing a code of conduct. This code should clearly state the entity’s position on business ethics, define fraudulent activity, and communicate the consequences. The code can be as simple as a three sentence statement that defines how the government meets its statutory requirements and engages internally, with vendors, and with constituents. There are many examples online to inspire you in drafting a code of your own.
- Implement internal controls. Internal controls help safeguard assets, properly record transactions, and accomplish the organization’s goals and objectives, including complying with regulations. The top three internal controls to focus on are:
- Segregate duties. Separate recordkeeping responsibilities from physical custody of assets.
- Monitor access. Ensure that duties are actually segregated as planned by monitoring employee access to recordkeeping systems.
- Management review. Perform reviews of access and exception logs, as well as meaningful reviews of nonstandard journal entries, details of reconciliations, transaction records, and monthly financial information.
- Institute a fraud reporting hotline. Being able to tell employees, constituents, contractors, service providers, and other third parties that you have a hotline is an important part of fraud prevention and detection. A critical component of a hotline is ensuring that reports can be made without fear of reprisal. There should also be a formal process to handle tips so each tip is investigated and resolved consistently. This helps protects the government in event of litigation. Hotlines are generally cost effective. After an initial set up charge, there is usually a nominal monthly hosting fee. One of the benefits of the hotline is you get tailored monthly reports to help you identify trends.
- Hire, promote and train ethical employees. Perform background checks on prospective employees, verify resumes and applications, and train managers to conduct thorough and skillful interviews. Implement fraud education for all employees; awareness and knowledge are highly effective at preventing fraud.
- Dispense fair and balanced discipline. Deal with fraud swiftly and consistently, even in instances where minor fraud is discovered. Ensure that the penalty is aligned with the code of conduct.
- Identify and measure risks. Assess your entity’s exposure to fraud risk, measure the likelihood of fraudulent activity, and implement appropriate responses. An assessment should focus on preserving financial integrity, identifying and measuring risk, improving processes, and proactively preventing fraud.
- Don’t rely on a financial audit. Audits provide a measurable benefit by attesting to the accuracy and completeness of the financial statements used by third parties. However, do not expect a financial audit to uncover fraud. Audit procedures are performed on less than 100 percent of the activity, and are not designed to detect fraud.
These steps are part of an overall risk management process. While your entity may not be in position to implement all of these ideas, you should do at least two things: set an ethical tone and establish solid internal controls. These two actions form the basis on which all other policies and procedures rest. Once they are in place, set a three-year plan to implement the rest. The cost of doing nothing at all will be far greater.