If you have worked in finance for any amount of time, it is almost certain that you have read or heard about the laundry list of reasons for having strong internal controls. You learned about the “Fraud Triangle” and the case studies about people who pilfered government coﬀers whose boldness eventually got them caught. As a result, your fear likely moved you to put in place simple and easy controls that assuaged your concerns in the moment. You know about the importance of writing procedures that can be handed to your independent auditors in hopes of keeping them from asking uncomfortable questions about weaknesses in the system. You agree with the benefits of controls, but the pushback over change and the urgency of your daily “to do” list prevents follow-through. You are conflicted because you are naturally detail-oriented and risk averse. This article takes a diﬀerent approach to this problem. Specifically, I want to address the internal elements that may be preventing you from completing the one formalized plan that responds to embezzlement and larceny if it should happen – a Fraud Response Plan.
As professionals, our tendency is to look at the uncertainty with an honest level of fear. We see the variables and want to erase them from the outcome. We do everything we can to create guarantees. Regarding the security of our money, we buy health, home, renters, life, long-term care, auto and motorcycle insurance. We set up HSAs, FSAs, HRAs, IRAs and 401ks. We mitigate the risks in our future. We even work to control who gets a share of our money by setting up wills and trusts. We want such precise control over the future that we classify our control over trusts with terms like revocable and irrevocable. Those of us who have defined benefit plans, which are themselves designed to eliminate uncertainty, practically do the annuity math equation from memory as we draw close to retirement. Guarantees continually occupy our decision-making.
Risk aversion equals greater control. In government, oﬃcials produce one year and multi-year budgets, pre-approve tax levies and develop “Five Year Plans” for capital projects. They implement tornado, hurricane and flood response plans. All this, in large part, is done to eliminate unmanageable surprises.
Why is it then that we rarely hear about development of Fraud Response Plans? Is it because it may expose the insufficiencies of our current policies and procedures? That could be a factor. However, even the strongest internal controls do not eliminate the risk of fraud. We could have the best team and the best system of separated duties and still receive a call from a whistleblower or detect patterns which raise suspicions. As the fraud stories have taught us, motivations often produce creative results.
Looking at the bigger picture, what do Fraud Response Plans do for you? They get you to plan and practice for high pressure situations, which too often produce mistakes and misunderstood quotes. When fraud is discovered, all eyes are focused on you. Fraud Response Plans prepare you to handle pressure with grace and confidence. They also give you the support and preparedness to plug the leaks in the ship more quickly because your confidence under pressure gives you a better frame of mind to adjust.
Fraud Response Plans lay out your engagement team and the types of professionals to include. They also give you guidelines for addressing such issues as legal obligations, employee discipline, document preservation, and media engagement.
Fraud Response Plans are the “What Next” after detection. Internal controls help with prevention, but what happens when collusion exploits a weakness in those policies? As with so many other areas of our lives, protect your business or government by developing your responses before fraud occurs.