Officers and Directors of businesses of all sizes need to factor risks into their compliance programs.

March 01, 2011

The current business environment is one of increased susceptibility to fraud and abuse. It is common for businesses operating under reduced head count to put additional stresses on their internal controls creating opportunities for fraud to be committed. These stresses, coupled with external financial pressures and rationalizations of their employees, result in increased fraud risk. Officers and Directors of businesses of all sizes need to be aware of these risks and factor them into their compliance programs.

Corporate Downsizing

The U.S. economy began to slow between the fourth quarter of 2007 and the first quarter of 2008 as businesses felt the effects of reduced demand for their products and services. In response to sluggish demand, businesses reacted by reducing their workforces including professionals and educated employees. The unemployment rate of management, professional, and related occupations more than doubled between 2007 and 2010 going from 2.1% in 2007 to 4.7% by November 2010.1 When businesses downsize, the remaining staff and management are frequently tasked with additional job functions or responsibilities outside of their scope of expertise as a result of re-aligning work flow. Such restructuring can create stresses or even weaknesses within a company’s internal control structure.

Recent research into the occurrence of fraud points to a correlation between a downturn in the economy and increases in fraud. Following recessions in 1990 and 2000, fraud arrests jumped 52% and 25% respectively in the two years after the downturn.2 The latest downturn appears to be no different as fraud is once again on the rise. The Institute of Internal Auditors released survey results in February 2010 that found fraudulent acts by employees increased since 2008 with almost half of respondents reporting an increase of fraud by 1-10% and almost a third reporting fraud increases of 11-20%.3 In a survey released by PriceWaterhouseCoopers in November 2009, almost half of all respondents believed that both the incidences and cost of fraud were greater now than compared to the fourth quarter of 2008.4 As the unemployment rate rose during this past recession so did the occurrence of fraud.

Internal Controls

Understanding the background, purpose, and principles of effective internal controls is important when evaluating the impacts of downsizing on a corporation’s fraud risk. Through the creation of systems of checks and balances, internal controls attempt to ensure reliable financial reporting, effective and efficient operations, and compliance with applicable laws and regulations. Internal control begins with management’s attitude toward oversight and adherence to its own policies and procedures, known as the tone at the top. Principles of effective internal controls are as follows:5

I. Segregation of Duties

II. Proper Authorization

III. Adequate Documents and Records

IV. Physical Control

V. Independent Checks

The various components of effective internal controls are best demonstrated using an example of an actual control system frequently utilized by manufacturing companies. The adjacent diagram represents the process of the procurement of goods by a typical manufacturing company and illustrates how internal controls should work.

First, an item is requisitioned from a specific department, division or profit/cost center. Approval, usually by a department manager, is given to enter into a transaction and a purchase order is created. That purchase order is then copied five times and sent to different company departments.

The first copy will be sent to a vendor to place the order. The second copy is sent to the original requestor to ensure what was ordered is what was requested and to provide notification that an order has been placed. The third copy will be filed for future reference while the fourth copy will be sent to the receiving department to ensure what is delivered to the company is what was ordered. The last copy will be sent to the payables department where it will be matched to the vendor invoice when processed for payment.

Before any money is disbursed, the purchase order along with the approved requisition, bill of lading, and the vendor invoice is sent to the payables department. Matching and comparing all of these documents ensures that what was requested, approved, ordered, and received by the company is what the vendor is billing for and the company is paying.

This process exemplifies the five principles of Internal Control introduced above. The transaction is completed by several different employees resulting in the segregation of duties. One employee approves the transaction, another employee places the order and documents the transaction, while a third employee will process the payment. Further, the physical control component is present when personnel in the receiving department verify the receipt of goods to the order.

This system of maintaining and validating documents in a variety of departments, or by a variety of personnel, also creates a “paper trail” that independent auditors can review to substantiate audit findings.

While no system of Internal Controls can completely eliminate fraudulent acts, a well-designed system can increase the level of actual and perceived detection. The perception of detection is an important consideration in designing and implementing control programs as it has been shown that the higher the level of perceived detection, the lower the likelihood a fraud would be committed as an employee will usually only commit a fraud if they think they will get away with it.6

The Fraud Triangle

Aside from a basic understanding of the structure and purpose of well designed internal controls, it is also important to understand the theory behind fraudulent activity when assessing the potential impacts of the “Great Recession” on companies operating in the current environment.

The Fraud Triangle, as depicted below, was first developed in the 1940’s by criminologist Donald R. Cressey after interviewing 200 incarcerated embezzlers.7 His theory states that for a fraud to occur, three elements must be present: Opportunity, Motive, and Rationalization.

First and most importantly, an opportunity must be present for a perpetrator to exploit, such as a weakness in a control structure, a promotion to a position of increased authority, or the development of a relationship that allows collusion. The ACFE’s latest Report to the Nations found that the two largest contributors in allowing frauds to occur were the lack of internal controls and overrides of existing internal control, together representing 57% as opportunities for fraud.8

Second, for a person to act on an opportunity to defraud a company they must have a motive. This is usually a financial pressure, such as a personal financial need or pressure to meet financial targets. Finally, a person must rationalize their fraudulent behavior, which in essence is their reason or excuse as to why what they are doing is acceptable.

The Perfect Storm

In the procurement illustration presented earlier, many employees take part in the process of procuring goods for the company. When some of those employees are eliminated, internal controls may breakdown creating opportunities for an employee to commit a fraud. The control structure is impacted in several ways, a selection of which is highlighted below:

aI Segregation of Duties. The procurement example above ensures that a single employee does not have the authority to approve, execute, and record a single transaction. When workforces are reduced, segregating all duties may become difficult. In this situation, not only is there an opportunity to commit a fraud but an opportunity also exists to conceal the fraud.

bI Proper Authorization. When layers of management are consolidated, the monitoring and oversight of internal controls can be compromised as roles and responsibilities will most likely have been changed. In this situation, a manager may be untrained or relatively inexperienced in the area he or she is managing – or simply has too much to manage. Under such a situation, it is possible for an employee to requisition a fraudulent order to be approved by an inexperienced or overworked manager. That manager may not have the time or expertise to validate the company’s need for that requisition or confirm that goods or services were actually delivered.

cI Adequate Documents and Records. When personnel are reduced and departments are overworked and under-resourced, documentation of transactions may suffer. Departments may not have the time to fill out all the paperwork required to fully document a transaction. This may in turn result in gaps in the paper trail that will make independent checks more difficult.

While many employees would not act on the above or other opportunities to defraud a company, the recent recession has undoubtedly put a significant financial strain on many Americans who have experienced pay or work schedule reductions. An opportunity that presents itself for an extended period of time combined with financial pressures may cause an employee to talk themselves into a crime they would otherwise have avoided.

Management Considerations

The Sarbanes-Oxley act passed in 2002 was enacted in response to the large corporate accounting scandals of the time. Sections of the act were written to place strong emphasis on companies’ internal controls in order to make them less susceptible to fraud. These sections are discussed below.

Section 302 of the Sarbanes Oxley Act requires that periodic statutory financial reports include certifications that:

  • The signing officers have reviewed the report
  • The report does not contain any material untrue statements or material omission or be considered misleading
  • The financial statements and related information fairly present the financial condition and the results in all material respects
  • The signing officers are responsible for internal controls and have evaluated these internal controls within the previous ninety days and have reported on their findings
  • A list of all deficiencies in the internal controls and information on any fraud that involves employees who are involved with internal activities
  • Any significant changes in internal controls or related factors that could have a negative impact on the internal controls
  • Section 404 of the Sarbanes Oxley Act requires issuers to publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting. This statement shall also assess the effectiveness of such internal controls and procedures.9

Management needs to be aware that changes in workforce as described above have an effect on internal controls and should be taken into consideration when making assessments and certifications for financial reporting. Intentional violations of these certifications can result in a corporate officer being criminally liable for a fine of up to $5 million and a 20 year prison sentence.10

Recommendations

In many situations, downsizing was the best and in some cases the only option for companies to ensure survival and save many jobs. While this inherently increases a company’s risk of fraud there are some steps that can be taken to combat this risk. An important and effective way to mitigate the risk of fraud in an organization is to identify and prioritize fraud risks. Once fraud risks are prioritized the highest risk areas should receive the most monitoring, testing and staffing. Many software programs are now currently available that offer electronic continuous monitoring of controls that will create reports when red flags are found which can decrease the headcount needed to effectively operate controls. The prioritizing and monitoring of fraud risks will also increase the perceived level of detection which will in turn lower and better manage the risk of fraud.

A strong compliance program that includes ethics training is also effective for reducing risks and it sets a strong tone at the top, which puts employees on alert that fraudulent activity will not be tolerated.

Conclusion

A weak economy, corporate downsizing, increased pressures, and decreased controls offer an explanation as to the relationship between the occurrence of fraud, the unemployment rate, and an economic downturn. By understanding how frauds are committed and how changes in staffing can increase those risks, managers, executives, and business owners can better understand the long term consequences of short term decisions as they relate to fraud risks. There are many components, processes, and procedures that make up a company’s internal controls. More important than the number of employees executing the procedures of a company’s internal controls is the attitude of management towards them; a strong tone at the top could deter would be fraud perpetrators. Even with large reductions in workforce, an adequate control environment can still be maintained with appropriate planning and management oversight. However, when workforce reductions are made, management needs to consider those impacts when assessing the effectiveness of internal control and fraud risk; those considerations are especially relevant when certification is made on them.

 ---

1 Bureau of Labor Statistics; the overall unemployment rate over this period rose to over 10%.

2 Levisohn, Ben. “Experts Say Fraud Likely to Rise” Businessweek. 9 January 2009. Online.

3 WebCPA Staff. “Auditors See Increase in Fraud” WebCPA.

4 PricewaterhouseCoopers. “The Global Economic Crime Survey” November 2009; Bureau of Labor Statistics.

5 Committee of Sponsoring Organizations, Report of the National Commission on Fraudulent Financial Reporting issued October 1987.

6 Association of Certified Fraud Examiners. 2010 Report to the Nations on Occupational Fraud and Abuse.

7 “Occupational Fraud and Abuse,” by Joseph T. Wells, Obsidian Publishing Co. 1997.

8 Association of Certified Fraud Examiners. 2010 Report to the Nations on Occupational Fraud and Abuse.

9 The registered accounting firm shall, in the same report, attest to and report on the assessment on the effectiveness of the internal control structure and procedures for financial reporting.

10 Sarbanes-Oxley Section 906.