Mitigation and Controls

The term fraud mitigation refers to any tool or technique — this website, for example — that is used to reduce the frequency or severity of fraud. Some methods of fraud mitigation have been around as long as we have kept records, which is a very long time considering that accounting and auditing preceded writing. Auditing, both internal and external, has been used to prevent or discover fraud for millennia. Training, one supposes, accompanied auditing and accounting.

It has been long recognized that an appropriate tone at the top goes a long way to reduce the likelihood of fraud. Fraud mitigation, however, began and begins with an understanding that fraud may occur — fraud awareness — and that certain steps are necessary to prevent it, detect it, and reduce or recover from the damages it inflicts on individuals and organizations. Today, we have more means at our disposal to combat fraud than ever before. Risk modeling and data mining — both discussed elsewhere on this website—are tools that have been made possible by new technology.

Internal controls are a structure of policies, procedures and processes, effected by an organization’s management, intended to assist an organization in meeting its goals and objectives. One of those goals is the reduction of fraud and the negative effects fraud has upon the victim organization and other stakeholders. Internal control processes include activities like cash and bank reconciliation. Structural aspects of internal control include organizational features, such as the segregation of duties and appropriate authorizations.

Despite new tools and controls, however, there is still a great deal of governmental fraud — perpetrated by employees, contractors, beneficiaries, providers, and the general public. Why? Because despite our best efforts, fraud succeed. The only way to lessen the success of fraud is for every governmental employee, every program manager, every elected or appointed official to become more knowledgeable about fraud, how it is perpetrated, which kind of activities or anomalies suggest that fraud may be occurring, and what sort of tools and techniques are available — and should be used — to combat fraud.

Types of Controls

Three types of controls are generally recognized: preventive, detective and corrective. To a large extent, each of the controls is related to the point of an underlying process in which they operate. All these controls can, to a greater or lesser extent, be automated. While these controls exist to support the overall achievement of an organization’s goals, here we will deal with them specifically in the context of fraud mitigation.

Preventive Controls

Preventive controls include steps taken before fraud occurs. Some preventive controls relate to organizational structure. Segregation of duties — that is to say, not allowing a single person to have control over all aspects of processing a transaction — is a preventive control. Other preventive controls are embedded in an organization’s software system. Passwords, for example, prevent unauthorized access to processing or data. Some preventive controls, such as locks and alarms, deal with physical access to assets. In that they may thwart fraudulent activity before it occurs, preventive controls are generally the most effective, efficient and economical.

Detective Controls Detective Controls

Detective activities are designed to find irregularities, should they exist. They are also designed to provide some level of assurance that preventive controls are working as planned. Counts of physical inventory, reconciliation of accounts, report reviews and analyses, internal and external audits are all examples of detective controls. Detective controls occur during and after the events they are designed to discover and are generally more expensive and time consuming than preventive controls. However, the importance of detective controls in mitigating fraud should not be underestimated.

Corrective Controls Corrective Controls

Corrective controls are designed to correct errors, irregularities or fraudulent activities once they have been detected. Since they take place after the fact, they are generally the least economical. They are, nonetheless, important to the control of fraud in a number of ways. Corrective controls may help improve of preventive or detective controls thereby reducing future occurrences or promoting the more timely detection of related fraudulent activities.

Limitations of Internal Controls

Internal controls are a very important element in the fight against fraud. Internal controls are, however, subject to a number of limitations, including:

Management Override

Management often has the authority to override established policies and procedures. In certain cases, such interventions support legitimate business purposes. In cases of fraud, however, management interference is connected to personal advantage and gain.

Collusion

Any combination of management, staff, contractors, vendors, customers or beneficiaries can act collectively to circumvent internal controls. A preventive control, such as segregation of duties, fails when several employees pool their efforts to defeat the system of controls and perpetrate a fraud. An employee, acting in concert with a vendor, can effect any number of payment-type frauds.

Breakdowns

Systems and processes are subject to a variety of breakdowns. Software testing may not have disclosed all vulnerabilities. Employees make mistakes or are improperly trained. Management or auditors may suffer from errors of judgment. Policies and procedures may be inaccurate, non-existent or out-of-date. Any of these situations can lead to a breakdown of internal controls.