9 ways to refresh your organization’s fraud controls now

During 2022, CohnReznick’s fraud risk management professionals experienced a significant increase in requests for assistance related to fraud. Many of these frauds may have begun during the pandemic, but went undetected for a significant period of time due to the sudden shift to remote workforces. 

As we analyze the “What went wrong?” at these organizations, we often see several themes related to the erosion of long-standing basic control protocols, in areas such as segregation of duties, oversight over reconciliation processes, follow-up on budget to actual variances, and vendor onboarding. This erosion, combined with an increase in “passive approval processes” (made without an adequate level of support or skepticism) and a decrease in audit activities, has created a perfect environment for fraud to go undetected for a sustained period. 

It is also worth noting that companies are being further challenged by the difficulty in finding qualified professionals to fill key positions that could help improve their weakened control environments. 

While none of these are new issues, their increased presence, and their relationship to fraudulent activity, is symptomatic of the new workplace paradigm that has rapidly evolved. 

There’s no time like the present to reflect on your organization’s control environment and take action to reduce the risk of fraudulent activity. Here are nine ways to get started. 

1. Refresh your risk assessment activities. Many organizations perform a risk assessment once a year. But effective risk management requires an ongoing process of assessment, monitoring, and adjusting. 

2. Identify, evaluate, and strengthen any interim controls that were established during the pandemic. Many of these controls (and processes) were created quickly and not designed to be permanent. 

3. Review your system access controls. Pay careful attention to system access that was granted during the pandemic, and adjust rights and terminate access as appropriate. 

4. Identify third-party/vendor relationships that were established and onboarded during the pandemic for appropriateness in today’s environment. Third-party relationships established during a crisis may not have received the same level of scrutiny or due diligence. Circle back now for a closer look: What were they hired to do? Did they do it? Do we still need them?

5. Identify segregation of duty issues. Many organizations are still struggling to fill key positions. Evaluate the impact that these vacancies are having on establishing adequate SOD, and create interim review processes to mitigate risks until roles are filled. 

6. Look at what you are approving. Be aware that your control environment has changed. We should always employ a healthy degree of skepticism during any approval process and not hesitate to ask for more information as needed to get comfortable. 

7. Establish an internal audit presence within your organization. Provide risk and control-based training to your employees that includes information related to audit activities. The knowledge that your organization routinely performs audits is a strong fraud deterrent for employees, vendors, and third parties. 

8. Review any system implementations that were performed during the pandemic. We have seen an increase in failed and/or problematic implementations over the past year. A post-implementation review may identify process and control issues that need to be remediated. 

9. Evaluate person by person the need for company-issued credit cards. Establish an independent process for reviewing the appropriateness of all credit card holders, expenditures, and payments. 

Contact our team for more insights or for tips on getting started today.