Sunday, March 22, 2009

Determine if controls in place are detection or prevention controls

When developing a set of internal controls or reviewing the current internal controls in place in an organisation, it is important to determine if the organisation has a balance of prevention as well as detection controls.

Prevention controls are those controls that reduce the likelihood of fraud occurring or “prevent” the fraud from occurring. Detection controls are effectively a “back-up” control and are there to detect fraud if the prevention controls have not been effective and have allowed the fraud to occur. Detection controls that are in place should allow for the fraud to be detected as quickly as possible.

Prevention controls can be split into two types – macro and micro prevention controls.

Macro prevention controls are those controls at a strategic level that are in place to prevent fraud from occurring. Examples of macro prevention controls include:

  • Having a board and management structure that lead by example – this is regularly referred to as the “tone at the top”. If the board and management of the organisation do not support fraud prevention and control in the organisation, it is difficult to have employees and volunteers support it.
  • Having an appropriate fraud control plan / strategy in place which employees and volunteers are aware of and receive appropriate training on. This allows employees and volunteers to understand that fraud is not acceptable within the organisation.
  • Having an ethical organisational culture within the organisation. It is important to understand the value of having an ethical organisational culture when it comes to fraud prevention. An ethical organisational culture is considered by organisations to be a primary factor in reducing the risk of fraud.[1]

Micro prevention controls are those controls that effect the day to day operations of the organisation. Examples of micro prevention controls include:

  • Segregation of duties. For example, the requirement to have two people process and approve a payment makes it more difficult for one person to commit fraud unless there is collusion involved or the person committing the fraud by-passes the second person, for example by forging the person’s signature approving the payment.
  • Having two cheque signatories or two passwords required for internet banking again makes it more difficult for an individual to commit fraud.

Examples of detection controls include:

  • Undertaking bank reconciliations on a regular basis and investigating any discrepancies that arise. For example, a common method of hiding a fraud is to “force” a bank reconciliation to reconcile (eg. to include incorrect entries, have a deposit outstanding for more than one reconciliation, have an outstanding deposit increase from one reconciliation to another). By having the bank reconciliation reviewed on a regular basis and conducting an investigation of any discrepancies can allow fraud to be discovered quickly.
  • Prepare realistic budgets and compare actuals to budgets on a regular basis and investigate discrepancies.
  • Conduct exception reporting and investigate discrepancies that arise.

    [1] BDO Not-for-Profit Fraud Survey 2008, Chart 5.5, page 66.

No comments:

Post a Comment