While fraudulent behavior can occur at all levels of the organization, more than half of occupational frauds occur in (1) operations, (2) accounting, (3) executive/upper management, and (4) sales.¹ For this reason, it is important to maintain a strong internal control environment at all levels of the organization, and most importantly, strong governance and “tone at the top.”
With globalization, companies are forced to expand rapidly and often into international markets that boast different fraud perceptions. This often results in an inconsistent control environment across the company. Mid-size companies find themselves expanding to overseas markets, often with a higher perceived risk of fraud, taking risks to succeed in business while failing to comply with local and global laws and regulations. Along with business growth and a focus on business operations, internal controls must be developed for compliance with both local and foreign Acts, such as the Foreign Corrupt Practices Act (USA) and Corruption of Foreign Public Officials Act (Canada), among others.
In several countries, the Board of Directors (the “Board”) and senior management may be held responsible for employee’s actions in the absence of effective internal controls. An employee’s responsibilities are to follow the controls and policies, but the Board is responsible for approving the policies and providing oversight as a governing body. For example, the Board may establish a risk committee, which reports to the Board on the internal compliance or non-compliance with controls and policies. Furthermore, good corporate governance policies often provide for the engagement of third-party internal audit consultants on a periodic basis (i.e., annually) to evaluate the control effectiveness.
For organizations of all sizes, it is also important to consider the Three Lines Model (formerly also known as the Three Lines of Defense), where the Board, management and internal auditors work to improve the organization’s value. Under this model, the Board is accountable to stakeholders for organizational oversight, through first line roles, management leads and directs action to achieve organization objectives, through first line and second line roles, and internal audit provides independent assurance, through its third line role. The effectiveness of this model is further enhanced through constant communication between the key roles of the organization as well alignment and collaboration between management and internal audit. With growth, the internal control function is often overlooked, and third-party internal audit consultants become invaluable offering their expertise, experience and resource capabilities that supplement the organization’s structure.
The internal audit function comprises of various procedures and processes, including, but not limited to, risk assessments, control assessment and mapping, audit planning, risk governance, and root-cause analysis. These activities assist the company with its internal controls to maintain organizational value. The most important step in the process is facilitating a risk assessment, where internal processes are assessed and risks throughout the organization are identified and prioritized. Herein, controls that exist currently within the organization are allocated and improved based on best practices.
Risk assessments done by an external specialist outside the business unit provides independent objectivity with internal bias and subjectivity avoided. Once priority risks are identified and controls are mapped, recommendations are made concerning any identified gaps in the controls to provide for improvement opportunities. When internal policies, procedures, and controls are implemented and the occurrence of fraud is still a concern, the cause may be rooted in the operations. To resolve this, improving the implementation and communication of the controls is needed. Several tools such as surveys and fraud awareness training can be implemented, which serves to close the gaps. A third-party internal audit consultant can assist in the review and assessment of your control environment while providing the necessary skills and knowledge to support the same.
With professional external parties assisting with the overall internal fraud risk management and processes, risks within the organization can be minimized.
GG Observations
If your company is expanding either domestically or globally, reach out to one of our consultants to help you implement the necessary internal controls to support your goal. We have worked with companies across various industries and understand the risks that can be faced.
[1] ACFE Report to the Nations, 2020
