A study by the Association of Certified Fraud Examiners shows that strong internal controls are the best way for your organization to mitigate fraud.
When state and local governments discover fraud within their organizations, their first question is often, “Why didn’t the audit catch that?”
The most commonly performed annual financial audit is not designed to be relied upon to detect fraud.
There is no simple answer to that question, but there are a couple of straight forward facts that are often discussed after fraud is discovered:
- The primary responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and management.
- An auditor conducting an audit in accordance with professional standards is responsible for obtaining reasonable assurance that the financial statements as a whole are free from material misstatement, whether caused by error or fraud.
Simply said, if management and governance have strong internal controls and the outside auditor tests those controls annually, it creates a strong internal control environment that deters fraud.
Frauds do occur. When they do, governance (sometimes with the direction of legal counsel) will ask for a forensic examination or a “fraud audit.” This is different than a financial statement audit.
By exploring fraud statistics, it can be easier to understand how important it is to have strong internal controls along with other ways to protect your organization.
Study captures extent of fraud
The Association of Certified Fraud Examiners’ 2016 Report to the Nations, a biennial study, examines nearly 2,500 occupational fraud cases. Roughly one-third of the cases included in the study were organizations other than privately held or publicly owned companies (e.g., nonprofits and government entities). The total financial loss of all organizations studied exceeded $6.3 billion, with an average loss per case of $2.7 million.
Understanding the external auditor’s role
While annual financial audits are the most common anti-fraud control put in place, with nearly 82 percent of organizations in the study opting for such audits, the vast majority of fraud is not — though may be — discovered by these external auditors. This is indicative of an organization’s misunderstanding of the nature of a financial audit, placing too much reliance on the required procedures performed to identify the potential that fraud has taken place and not been detected.
An external financial auditor’s responsibility is to express an opinion on financial statements and to ensure that documents are free from material misstatement. These auditors do not express an opinion on the effectiveness of the organization’s internal controls. Rather, they consider these controls relevant to the preparation and fair presentation of financial statements and perform procedures designed to identify fraud risks that have been surfaced in audit planning.
External financial auditors perform their work on a sample basis and do not test every transaction, so they can’t be expected to catch all fraud or errors. Instead, your government’s management should design, implement, and maintain internal controls to limit unauthorized transactions in financial statements.
The best ways to protect your organization
The most common type of fraud reported in the study was asset misappropriation, affecting more than 83 percent of organizations. Specifically, the biggest risk was attributed to billing schemes and check tampering. On the other hand, financial statement fraud was the most costly, with a median loss of $975,000.
Lack of internal controls is the most prominent organizational weakness that contributes to fraud.
According to the report, tips from employees and others were responsible for detecting more than 39 percent of fraud, making them much more likely to catch fraud than external financial audits. Organizations that had reporting hotlines were even more likely to expose fraud through tips than organizations without hotlines (47.3 percent compared to 28.2 percent, respectively). Making sure that every member of your organization knows who to alert regarding organizational misdeeds or violations, and that they are able to do so in a confidential and secure way, can significantly increase your chance of catching fraud.
Management reviews and internal audits each caught 14 percent of fraud in reported cases. Taking a step back to identify the processes and operations that are more susceptible to fraud and errors will help management focus on the places to strengthen internal controls to improve fraud prevention and detection.
How we can help
CLA’s state and local government and nonprofit professionals have developed internal procedures and controls at hundreds of organizations. We are available to consult and perform analyses to help you prevent fraud, including:
- Ensuring strong internal controls are in place across your organization.
- Equipping management to analyze processes and recognize fraud.
- Implementing confidential reporting controls to catch fraud.
If management or governance suspect fraud, CLA’s forensic specialists are available to do a “fraud audit” and help the organization determine the monetary damages. The best investment an organization can make is in strong internal controls and creating an environment to deter fraud and avoid the financial loss and human cost that result from frauds.