The Top 20 Internal Controls to Detect and Prevent Fraud

Each year, businesses lose billions of dollars to instances of fraud that — with a little structure — could largely be prevented.

According to the 2018 Association for Finance Professionals (AFP) Payments Fraud and Control Survey, 78 percent of organizations were subject to payments fraud in 2017. Perhaps even more disturbing, only 47 percent of the organizations studied discovered fraud less than two weeks after the incident occurred.

From streamlining how reconciliations are managed in Excel to building a comprehensive checklist for the month-end close, the time spent documenting and implementing strong internal controls around your month-end close process can limit costly oversights, eliminate redundancies, and reduce stress. During a recent webinar hosted by FloQast, veteran consultant Chris Doxey — whose extensive resume includes being recruited to help MCI (formerly WorldCom) recover from their legendary internal control woes — detailed 20 internal controls vital for detecting and preventing fraud.

Give this list a read and ask yourself if your own firm’s internal controls could use another look.

The Top 20 Internal Controls

  1. The company’s Tone at the Top is well communicated throughout the organization.
  2. All employees must comply with the Company’s Code of Conduct and the consequences of non-compliance are communicated and understood.
  3. A Segregation of Duties policy is established throughout the company.
  4. A Delegation of Authority policy is in place for all company commitments and expenditures.
  5. Monthly Account Reconciliations are mandatory. (Our favorite at FloQast!)
  6. System Access Controls are reviewed on a monthly basis or after a system upgrade or organizational change.
  7. The organization’s managers are responsible for integrating effective internal controls into all company operations. This responsibility includes identifying, assessing, and managing risks related to their business objectives.
  8. All representations and assertions regarding internal controls must be supported with the appropriate documentation.
  9. Costs and expenses of all operating units must be maintained under budgetary control. Comparisons of actual expenses to budgeted amounts must be performed on a regular basis, and all significant variances explained.
  10. All operating units must develop a system of internal controls to ensure the assets and records of the company are adequately protected from loss, destruction, theft, alteration, or unauthorized access.
  11. Critical transactions within the organization’s business processes must be traceable, authorized, authenticated, have integrity, and be retained in accordance with established policy, such as the Delegation of Authority Policy.
  12. Background checks are conducted for all employees and contractors.
  13. The business records for the organization must be maintained and retained in accordance with established policy.
  14. The organization’s network and information program, which states corporate policy on proprietary, confidential, or trade secret information, must be adhered to. As such, employees and contractors must refrain from unauthorized disclosure of sensitive or confidential information.
  15. All computer systems and/or software applications that may impact the operation of a business process must have the adequacy of their internal controls verified through the user acceptance process prior to implementation.
  16. Contracts or documents that legally bind the organization or a subsidiary company to any obligation can be executed by purchasing personnel (for agreements pertinent to their areas of responsibility) or individuals duly authorized under the organization’s delegation of authority policy. Legal should review and approve all contracts and legally binding documents. Right- to-audit clauses should be included in the contracts where appropriate.
  17. All suppliers are validated before they are entered into the system of record. The validation process includes:
    1. Requiring a W-9
    2. Performing TIN Matching
    3. Compliance Screening (OFAC, BIS, EPLS, OIG)
    4. Address and Phone Verification
  18. All disbursements over a certain dollar amount are reviewed and approved with special attention to large international payments and wires. (The dollar amount to be reviewed will depend upon the size of the company.)
  19. All intercompany payables and receivable activity is reconciled on a monthly basis.
  20. A physical inventory process should be in place for Fixed Assets. A physical inventory and cycle counting process should be established for all production and expense inventory.

Interested in finding out more ways that FloQast can help you create a strong control environment? Check out the FloQast resources page cutting-edge whitepapers, accountant-created checklists, and webinars featuring advice from industry veterans such as Chris.

Chris Doxey is a veteran financial consultant, educator, and the founder of Doxey, Inc. Her extensive resume includes senior-level positions at Compaq, Digital Equipment Corporation, and Hewlett Packard, where she worked for nearly 25 years.

Blake Oliver

Blake Oliver, CPA, is an entrepreneur, accountant, writer, and speaker who specializes in cloud accounting technology. In 2016 and 2017, Blake was named a “40 Under 40” in the accounting profession by CPA Practice Advisor. He is the Senior Product Marketing Manager for FloQast.