Management

Management establishes the tone at the top and the standards followed by an entire organization. A good place to begin establishing a constructive tone at the top is by adopting a written code of ethics. For the code to be of any value, it must first be followed by management and then communicated throughout the organization. The code of conduct should be consistently enforced throughout all levels of the organization and transgressors appropriately punished. Newly hired employees should be made aware of the code of conduct and the consequences of failing to comply.

Management should also periodically review policies and procedures that involve internal controls and fraud prevention and make sure those policies and procedures are up-to-date and enforced. Management should consider setting up a process for employees to report potentially fraudulent activities like a hotline, or confidential contact in the legal or human resources department.

Management should be aware of, and come to understand the purpose and operation of, their organization’s controls and should periodically review them for effectiveness.

An intentionally or unintentionally weak internal control environment that permits, encourages or disguises fraudulent activity.

Reluctance to provide information to auditors

Managers engage in frequent disputes with auditors

Management decisions are dominated by an individual or small group

Managers display significant disrespect for regulatory bodies

Accounting personnel are lax or inexperienced in their duties

Decentralization without adequate monitoring

Because of management's ability to override and circumvent controls, the threat of management-related fraud is always present and, if it exists, hard to prevent. A code of ethics is one of the tools any organization--private or public sector–should adopt and enforce.

Management does not emphasize the role of strong internal controls

Management does not prosecute or punish identified embezzlers

Management does not have a clear position about conflicts of interest

Highly placed executives are less than prudent or restrained on expenditures for travel and entertainment, furnishings of offices, gifts to visitors and directors, etc.

Internal auditing does not have authority to investigate certain executive activities

Accounting policies and procedures are lax, non-existent, undocumented or unenforced.

Frequent changes in external auditors

Excessive number of year end transactions

Excessive number of management overrides of policies or procedures

No monitoring of effectiveness of internal controls

Low employee morale is pervasive

Unexpected overdrafts or declines in cash balances

Refusal by agency or division to use serial numbered documents if required (e.g. receipts)

Compensation program that is out of proportion to standards

Any financial transaction that doesn’t make sense - either common or business

Contracts that result in no product or service

Missing documents

Management ignores irregularities

Staff is not trained

Lack of oversight

Lack of fraud hotline or a failure to support whistleblower programs

Failure to respond to identified issues

Lack of management understanding or support for systems, processes and controls

No checks and balances

No segregation of duties

Improper use of funds

Subordinates signing for managers

High personnel turnover

Employee overly protective of information or is reluctant to train others

Annoayance at reasonable questioning

Providing unreasonable responses to questions

Refusing vacations or promotions for fear of detection

High employee turnover rate, especially in areas more vulnerable to fraud

Lack of segregation of duties in areas more vulnerable to fraud

Rewriting records under the guise of neatness in presentation

National Association of State Controllers (NASC) Control Questionnaire for Control Environment

Association of Certified Fraud Examiners (ACFE) Management/Key Employee Assessment

When a number of red flags are present, sometimes the best course of action is to notify the entity's external auditors.