Back to Newsletter

By Andy Gorham, HoganTaylor Assurance Senior Manager

A typical organization loses 5% of revenues in a given year as a result of fraud, according to the 2016 Global Fraud Study by the Association of Certified Fraud Examiners, Inc.  What can you do to mitigate this loss?  The three factors that are present for occupational fraud are:

  1. Motivation or Pressure
  2. Rationalization
  3. Opportunity

By implementing strong internal controls, an organization can remove much of the opportunity for fraud to occur and can increase the chance of detection.  With personnel changes and operational changes, the risks to an organization can change.  Internal controls should be routinely monitored and updated as control weaknesses are identified.  The purpose of implementing controls is not limited to identifying and preventing fraud.  Controls also assist with operational effectiveness and compliance with laws and regulations.

When fraud is discovered there is often a reaction of shock and disappointment.  The fraud was perpetrated by the “last person you would expect.”  The perpetrator is often a long-time employee or member of management. Compounding the issue for Not-For-Profits is the potential loss of confidence from donors or organization members.

Fraud losses tend to increase the longer a fraudster has worked for the victim organization, as shown in the graph below.  People who stay at an organization for a long period of time often move up to higher levels of authority, which in turn gives them the opportunity to commit larger frauds.


2016 Report to the Nations on Occupational Fraud and Abuse. Copyright 2016 by the Association of Certified Fraud Examiners, Inc.

There are two types of controls:  preventive and detective.  Preventive controls are designed to discourage errors or fraud before it occurs.  Detective controls are designed to identify an error or fraud after it has occurred.  In designing controls, an organization should determine the desired level of control assurance relative to a risk.  Care should be taken to avoid implementing controls that become too restrictive and impede operational performance and objectives.  If an area is not particularly risky, perhaps detailed, preventive controls are not necessary and a less restrictive detective control can be implemented.

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Internal Control – Integrated Framework provides detailed information about internal controls and can be a valuable resource to better design, implement, and assess internal control.  Additionally, HoganTaylor can provide guidance with developing internal controls and auditing service processes.

Back to Newsletter