Establish Detection Routines
Nobody wants to see problems. However, leaders of a disciplined organization realize that they, like everyone else, could be losing at least one percent of their top line to fraud. Therefore, they would rather be proactive and identify indicators of problems early, rather than wait for the cancer to become inoperable.
We have gone through the exercise of brainstorming what can go wrong in our organization; now it is time to set a watch, and remain vigilant for indicators of problems.
Most organizations are good at establishing preventative controls - fences and padlocks that deter thievery. However, most organizations go no further, and fail to implement mechanisms for identifying when the thief has jumped the fence.
In order to establish detection measures, we must first understand what to look for.
The previous step had us begin to build a Fraud Library. Now add a column to your Library. For each perpetrator / fraud act you listed, try to think of at least 2-3 symptoms of how the fraud would manifest itself in your organization. What would the symptoms be?
For this exercise, I try to think like a doctor. I could have a heart attack - that is one of my 'what can go wrongs'. Symptoms I want my doctor and me to be alert for: irregular heartbeat, strange pattern on the EKG, shortness of breath, tightness in the chest, and so on. Similarly, we can all remain alert for symptoms of wrongdoing in our organizations. Here is a list of common fraud symptoms to get you started.
You will see plenty of false positives - situations in which a transaction bears symptoms of fraud, but is still a legitimate transaction. As you review the list of symptoms, you no doubt have seen those indicators on transactions that turned out to be fine. So have I. This does not prevent us from following up on the symptom, and should not discourage us from being persistent in our detection efforts.
If you are in leadership or operations, you should begin to establish procedures within the organization to detect symptoms of the problems identified in your fraud library. If you are an auditor, add detection steps into your testing programs. Shed your fixed random samples and statistical samples and begin using data analysis and your eyeballs in site visits to seek indicators of problems so your organization can address them.
One more note. As you review the list of symptoms, realize that control weaknesses are not symptoms, symptoms are not control weaknesses. In my medical example above, my 'controls' are: eat healthy dinners, exercise regularly, actively relax, have fun with my dogs. These reduce the risk of heart attack, but do they eliminate the risk? And if I didn't do these things, does that guarantee a heart attack?
In your organization, suppose someone has custody over your cash, accounts for your cash, reconciles the cash, supervises all the cashiers, has the combination to the vault, and makes your deposits in the bank every day. Does that person have the opportunity to steal some cash? Does that mean that are stealing the cash? We have a severe control problem, but that is not the symptom; the symptom is missing cash. Conversely, suppose all of those above duties were properly segregated among several people. Controls look good, does that mean those folks are not stealing cash?
Look for symptoms. We can worry about the control evaluations later; if you find a slew of fraud symptoms, that will tell you whether or not your controls are adequate.