Safeguarding Organizations from Fraud in the Digital Age

The convergence of technology and business has brought unparalleled opportunities but also significant risks as it relates to fraud in organizations in today’s digital age. According to the AICPA, fraud can be defined as “an intentional act involving the use of deception that results in a misstatement in the subject matter or the assertion”  (Successful SOC 2 Approaches to Address Fraud Risk, 2019). It is a knowing misrepresentation of the truth or omission of a material fact that causes an individual or entity to act based upon the deception to their own detriment (McCarty, 2022).  Cybersecurity threats and fraud have become pervasive, affecting businesses, governments, and individuals worldwide. Cybersecurity is a critical component of an organization’s structure and strategic planning. Businesses are likely to fail without identifying, measuring, monitoring, and remediating risks involved with the organization’s operations. This section will take a closer look at the types of fraud to which organizations are exposed, frameworks in which organizations can safeguard themselves against, and effective strategies for mitigation.

There are four types of fraud risks to consider within an organization. The most widely known fraud, fraudulent financial reporting, can be defined as any intentional misstatement of financial information. It is carried out by the intentional misrepresentation of a company’s financial statements,  either by omission or exaggeration, to create a more positive impression of the company’s financial position, performance and cash flow (Beaver, 2022). Financial statement fraud is the least common in organizations, but most costly with the median loss being reported at $766,000 (Association of Certified Fraud Examiners, Inc., 2024). Second is fraudulent non-financial information, which includes misstated quality assurance reports, safety records, and operational performance metrics. As described by Douglas Prawitt, CPA, Ph.D., an accounting professor at Brigham Young University, non-financial information “is just about anything that does not have a dollar sign in front of it.” Fraudulent figures can include a business’s square footage, amount of inventory, industry data, number of patents, products, employees, or customer accounts, or other types of information (Meyer, 2015).  Misappropriation of assets, whether by employees, vendors, or other third parties, which impacts tangible and intangible assets is the third type of fraud risk. Common examples of asset misappropriation are unauthorized use of equipment, inventory shrinkage, fake sales/purchases, cash and check schemes, accounts payable/receivable, and fictitious disbursements. According to the ACFE 2024 Report to the Nations, asset misappropriation is the most common fraud within organizations, but least costly with a median loss of $120,000 (Association of Certified Fraud Examiners, Inc., 2024). Lastly, corruption and other illegal acts, such as violations of laws and regulations, bribery, kickbacks, illicit use of PII, EPHI, intellectual property, or national security information are also fraud risks needing consideration from organizations. Examples of kickbacks are non-competitive bidding processes to ensure a desired vendor or contractor wins the bid or organizations paying more than market-rate for goods to a specific vendor.

The Committee of Sponsoring Organizations (COSO) developed Principle 8 of the COSO framework which states that “the entity considers the potential for fraud in assessing risks to the achievement of the organization’s objectives” (McCarty, 2022).

Principle 8 is based on five points of focus as important factors in fraud, three of them being direct references to the fraud triangle:

1. Types of Fraud – consideration of fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur.
2. Incentives and Pressures – consideration of incentives and pressures present within the organization.
3. Opportunities – consideration of opportunities for unauthorized acquisition, use, or disposal of assets, altering the entity’s reporting records, or committing other inappropriate acts.
4. Attitudes and Rationalizations – consideration of how management and other personnel might engage in or justify inappropriate actions.
5. Risks Related to Use of IT and Information Access – consideration of threats and vulnerabilities that arise specifically from the use of IT and access to information (Successful SOC 2 Approaches to Address Fraud Risk, 2019).

A common tool used by organizations to monitor and prevent fraud is risk assessments, which can be performed by the entity as frequently as deemed necessary. The purpose of a cybersecurity risk assessment is to identify, assess, and prioritize risks to information and information systems (Cybersecurity Risk Assessments, 2024). The National Institute of Standards and Technology (NIST) Cybersecurity Framework is one of the most popular risk assessment frameworks. It provides a flexible and structured approach for organizations to assess their cybersecurity risks and prioritize actions to reduce those risks. Another safeguard for organizations in fighting against fraud is obtainment of System and Organization Controls (SOC) certifications by external auditors, which test the effectiveness of the organization’s controls in security of confidential data.  SOC frameworks, particularly SOC 1 and SOC 2, provide comprehensive guidelines for implementing controls that protect against fraud within organizations. These controls encompass various areas such as financial reporting, information security, and operational integrity. Here are key SOC controls that organizations can implement to protect against fraud:

1. Access Controls

• User Access Management
  • Role-Based Access Control (RBAC): Ensure that access to systems and data is based on users’ roles and responsibilities.
  • Least Privilege Principle: Grant users the minimum level of access necessary to perform their job functions.
  • Regular Access Reviews: Conduct periodic reviews of user access rights to ensure appropriateness and detect unauthorized access.
• Authentication Mechanisms
  • Multi-Factor Authentication (MFA): Implement MFA to add an extra layer of security, reducing the risk of unauthorized access.
  • Strong Password Policies: Enforce complex password requirements and regular password changes.

2. Segregation of Duties

• Separation of Critical Functions: Ensure that no single individual has control over all aspects of any critical transaction to prevent fraudulent activities.
• Approval Workflows: Implement automated workflows that require approvals from multiple, independent personnel for high-risk activities and transactions.

3. Audit Logging and Monitoring

• Comprehensive Logging: Enable detailed logging of all user activities, system changes, and access to sensitive data.
• Continuous Monitoring: Use automated tools to continuously monitor logs and detect suspicious activities in real-time.
• Regular Log Reviews: Conduct regular and systematic reviews of logs to identify and investigate anomalies and potential fraud indicators.

4. Incident Response and Reporting

• Incident Response Plan: Develop and maintain a formal incident response plan that outlines procedures for detecting, responding to, and recovering from fraud incidents.
• Whistleblower Mechanisms: Provide confidential channels for employees and stakeholders to report suspected fraud without fear of retaliation.
• Incident Documentation: Maintain detailed records of all reported incidents and the steps taken to resolve them.

5. Vendor and Third-Party Management

• Due Diligence: Conduct thorough due diligence on third-party vendors, including background checks and reviews of their security practices.
• Contractual Obligations: Include clauses in vendor contracts that mandate compliance with your organization’s security and fraud prevention policies.
• Ongoing Monitoring: Continuously monitor third-party activities and conduct regular audits to ensure compliance with security requirements.

6. Data Integrity and Confidentiality

• Data Encryption: Use encryption to protect sensitive data both in transit and at rest.
• Data Classification: Implement a data classification scheme to identify and appropriately protect sensitive and critical data.
• Regular Data Reconciliation: Conduct regular reconciliations of financial data and other critical information to detect and correct discrepancies.

7. Change Management

• Controlled Change Processes: Implement formal change management processes to ensure that all changes to systems and applications are reviewed, tested, and approved before implementation.
• Segregation of Environments: Maintain separate environments for development, testing, and production to prevent unauthorized changes from being introduced into the production environment.

8. Training and Awareness

• Fraud Awareness Training: Provide regular training to employees on recognizing and reporting fraud and understanding their role in preventing it.
• Security Best Practices: Educate employees about security best practices, including phishing prevention, secure handling of sensitive information, and proper use of company systems.

9. Policy and Procedure Documentation

• Comprehensive Policies: Develop and enforce comprehensive policies related to fraud prevention, detection, and response.
• Regular Updates: Regularly review and update policies and procedures to address emerging fraud risks and evolving regulatory requirements.

10. Financial Controls

• Automated Controls: Implement automated controls in financial systems to detect anomalies and enforce compliance with financial policies.
• Reconciliation Processes: Conduct regular reconciliations of accounts, transactions, and financial statements to identify discrepancies and potential fraud.

By integrating these SOC controls, organizations can create a robust framework that not only protects against fraud but also ensures overall security and operational integrity. These controls help in creating a proactive approach to fraud prevention, detection, and response, thereby enhancing the organization’s resilience against fraudulent activities.

While the fusion of technology and business in the digital age offers unprecedented opportunities, it also presents significant challenges, particularly in the realm of organizational fraud. As cybersecurity threats and fraud become more pervasive, their impact is felt across businesses, governments, and individuals globally. Therefore, integrating robust cybersecurity measures into an organization’s structure and strategic planning is crucial. It is imperative for organizations to stay vigilant and proactive in their efforts to safeguard against these ever-evolving threats.

In Case You Missed It!

This is article is a part of our “Leader’s Guide to Fraud Prevention” series, designed to provide ongoing guidance on simple, effective actions leadership can take to prevent fraud, waste, and abuse. Previous articles have explored everything from emerging fraud trends to critical risk areas like cybersecurity, as well as entity-wide recommendations for strengthening controls. By making a few strategic improvements to your fraud prevention environment, your organization can build a stronger foundation for long-term financial success.

Missed the other articles of the series? Check them out here:

• Risk Mitigation Starts with You | The Bonadio Group
• Fraud Facts & Misconceptions | The Bonadio Group
• How to Protect Your Business from Cash Fraud | The Bonadio Group
• Payroll Fraud: Understanding the Schemes Involved | The Bonadio Group
• Cash Disbursement Fraud Schemes and How to Prevent | The Bonadio Group
• Expense Reimbursement Fraud: Understanding the Risks | The Bonadio Group
• Understanding & Preventing Inventory Fraud | The Bonadio Group
• Preventing Financial Reporting Fraud: Key Strategies | The Bonadio Group

References

Association of Certified Fraud Examiners, Inc. (2024). Occupational Fraud 2024: A Report to the Nations. Association of Certified Fraud Examiners, Inc.

Beaver, S. (2022, April 5). Financial Statement Fraud: Detection & Prevention. Retrieved from NetSuite: https://www.netsuite.com/portal/resource/articles/accounting/financial-statement-fraud.shtml

Cybersecurity Risk Assessments. (2024). Retrieved from https://www.itgovernanceusa.com/cyber-security-risk-assessments: https://www.itgovernanceusa.com/cyber-security-risk-assessments

McCarty, B. (2022, August 24). Considerations for Fraud Risk Assessment: COSO Principle 8. Retrieved from https://linfordco.com/blog/fraud-risk-assessment-coso-principle-8/: https://linfordco.com/blog/fraud-risk-assessment-coso-principle-8/

Meyer, C. (2015, September 14). Pay attention to nonfinancial measures when performing audits. Retrieved from Journal of Accountancy: https://www.journalofaccountancy.com/newsletters/2015/sep/nonfinancial-measures-when-performing-audits.html

Successful SOC 2 Approaches to Address Fraud Risk. (2019, September 12). Retrieved from CoalFire: https://coalfire.com/the-coalfire-blog/successful-soc-2-approaches-to-address-fraud-risk#:~:text=According%20to%20the%20AICPA%20Guide,considered%20when%20identifying%20which%20activities%2C

This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.