Fraudsters are using increasingly sophisticated methods to trick people. With the development of computerization and digitalization, new threats are constantly emerging, often where organizations are not yet prepared for them. Vulnerability awareness concerns not only top managers, but also internal auditors, whose mission is to contribute to protecting and enhancing the value of organizations. So you should definitely not underestimate the risk of fraud! What control mechanisms can help you to reduce your risk of fraud?
1. Fraud detection
Preventive mechanisms may not prevent fraud in specific cases. Therefore, it is important that you put in place procedures that allow fraud to be detected. There are many ways to detect fraud. I recommend that you combine them appropriately to balance the benefits and costs incurred. One effective tool for detecting fraud and unwanted actions is the so-called ethical line.
New legal obligation - the so-called ethical line
The ethical line can be thought of as various channels and procedures for receiving, recording and investigating notifications of breaches of binding rules. The purpose of the ethical line is to allow whistle-blowers to use an internal channel instead of passing information to external control bodies. The company can thus detect fraudulent behaviour in a timely manner, prevent it and prevent further damage, including reputational damage or possible sanctions. Based on the notifications received, the company can implement corrective measures to prevent similar adverse events in the future.
Already today, some companies or public organizations are obliged to establish an internal channel for reporting infringements. In the future, this obligation will be extended to virtually all medium-sized and large enterprises and organizations (companies with more than 50 employees, the public sector, etc.). These requirements stem from a new European directive. The Ministry of Justice recently submitted a draft law on the protection of whistle-blowers to the government. The related obligations will be enforceable in the Czech Republic after the adoption of the law, but no later than 17 December 2021.
Under this new legislation, obliged entities will have to establish procedures and secure channels for receiving and investigating notifications - a so-called internal notification system. These procedures must also include measures to protect the identity of the notifiers. The company will also need to designate a person to be responsible for receiving and investigating these notifications. The choice of the form of notification is basically up to the notifier himself - the organization must allow the receipt of notifications in writing and orally. The whistle-blower also has the right to be informed of the findings of the investigation within thirty days of receipt of the notification.
Although notifiers may, in principle, not be prohibited from using any form of submission, it is advantageous to motivate notifiers to use the channel preferred by the organization. This particular centralization can help a company have more control over individual notifications, make it easier to track deadlines, and protect the personal information of the whistle-blower. An effective application to facilitate the receipt of notifications and motivate whistle-blowers to use the organization's internal notification system is an online application.
The obliged entity may provide the internal notification system either by using internal resources or by managing it through an external partner.
Example of internet application - BDO Ethical hotline
Continuous transaction monitoring
Another effective way to detect fraud is to monitor transactions on an ongoing basis. This offers another way to better understand risks, set controls more effectively, and help senior management to better manage the company. Specifically, an internal process oversees accounting practices, risk controls, compliance, information systems and business processes on an ongoing basis.
The system itself goes through and analyses selected processes and draws attention to deviations and discrepancies. Companies do not need complex data analysis tools or large budgets to benefit from an effective ongoing internal audit program. By assessing individual risks, you can decide on priorities and direct resources to those areas that are most important to your successful and efficient business.
Example of continuous monitoring of transactions: BDO Continuous monitoring application
The table above shows an example of using the continuous transaction monitoring method to detect fraud. The example is related to the area of concluding insurance contracts. Already within the introductory screen, the system notifies in colour that there has been a deviation in the area of concluding insurance contracts. After clicking on it, the company's management can see the details that they can further investigate and investigate if fraud has occurred.
Continuous transaction monitoring tools can thus facilitate the early detection of fraud and its further investigation. They are very flexible and can be set up for various processes in the company - from regular monthly bills, through the company's liquidity, to the process of new and leaving employees. Automation can free up employees and allow them to focus on activities for which there has not been available time before. The advantage is also the possibility to work with a large amount of data in real time without the need to request individual documents.
2. Fraud prevention
An essential internal control system is a basic tool for fraud prevention. Although it has its limits, it remains an essential weapon in the fight against fraud. If internal control is not sufficient, the fraudster can exploit its weak points. In view of the objectives of the internal control system, fraud may manifest itself as follows:
- efficiency and effectiveness of operations – e.g. increased costs due to damage caused, failure to achieve set objectives,
- reliability of reporting – e.g. overvalued turnover due to claiming performance rewards,
- compliance with legislation, other regulations and contracts - e.g. non-compliance with binding procedures and the resulting sanctions, damage to reputation and relationships with key stakeholders.
One of the conditions for truly effective fraud prevention is the level of the ethical environment in the organization. If management tolerates transgressions or even breaks the rules themselves, other employees cannot be expected to behave better. The so-called "Tone at the top", the example set by management, can significantly influence behaviour in the company.
Common control mechanisms for the prevention of errors or fraud include the separation of incompatible responsibilities, resp. the four-eye control rule. Responsibility for preserving assets, approving the use of assets and keeping records of assets should be separated. In smaller organizations with fewer employees, this division may be more difficult to achieve. However, organizations should strive for the maximum implementation of this principle, or compensate for deficiencies by other control mechanisms.
Employees should also receive regular training. Training should include corporate values and principles of conduct in the organization, fraud prevention practices, and practical examples of situations that employees may find themselves in. How to respond to a bribe offer? How to deal with a fraudulent invoice? How not to be fooled by a fake e-mail? All this can be included in the training. And what form should this training take? Companies have many different options. E-learning is a cost-effective and today undoubtedly practical option.
Of course, internal audit is also an irreplaceable aid in the fight against fraud. With its methodological approach, it helps to improve the risk management system, management and control processes and the management and administration of the organization. International standards require auditors to address the risk of fraud in their work.