Risk assessments, internal control guidelines, and SOX-related processes have become commonplace in corporate operations. But all of that effort only serves to underscore the one issue that companies still haven’t solved: how to monitor and prevent fraud.

“Many organizations still stick their heads in the sand when it comes to fraud,” says Dave Richards, president of the Institute of Internal Auditors. “People who perpetrate fraud often are the most trusted and long-term employees. Companies’ reaction to it, when discovered, is usually one of disbelief.”

Companies are turning to internal auditors to devise effective ways to police employees and to have the forensic know-how to investigate fraud should it occur. Internal auditors looking to create policies and procedures to deal with fraud need to keep one principle top of mind: Their biggest weapon, and resource, is the company’s employees.

Foremost, a company’s senior management needs to establish standards (think “tone at the top”) and then communicate those rules to their employees.

In the areas where a company is at high risk for fraud, such as the oversight of cash-related transactions and other financial matters, managers can set up procedures to prevent problems, such as having two people sign off on every transaction, or establish periodic reviews of transactions to identify anomalies. But companies also should consider their most common and basic controls, including safeguarding assets like laptops.


Magma Design Automation, a $178 million software company based in California, holds weekly meetings with directors and managers worldwide who help operate the company’s financial functions, says Andrew Ng, the company’s director of internal audit. Hosted by the CFO, the meetings give every key finance manager an opportunity to discuss any potential issues, Ng says.

Magma’s top executives also hold quarterly meetings with all employees and take that opportunity to communicate issues related to the code of conduct and integrity. During one recent session, for example, the CEO discussed what is appropriate for employees to download and how to protect intellectual property on their computers, Ng says.


In addition to senior management, internal auditors should meet with members of all divisions of a company, including human resources, legal, IT, and the business units, to brainstorm about what could go wrong and how to prevent it, says Elizabeth Getrost, vice president of internal audit at Clayton Holdings, an analytics company that serves the banking industry.

Together, that group should consider less-obvious targets of fraud such as mailing services or the transfer of competitive information. The company can then establish standards for basic procedures such as hiring practices. (On that front, for example, Getrost suggests making best use of background and reference checks—and not just for recent hires. Companies should routinely consider their incumbent workforce, reviewing performance evaluations and updating background checks, she says.)

When reviewing a company’s operations, internal auditors should try to vary their procedures for auditing to uncover new information, or even take the opportunity to conduct surprise audits, says Ken Yormark, a managing director at the consulting firm Protiviti.


“If I visit someone’s house without notice, I’ll see a different picture than if I give two weeks’ advance notice that I’m going to show up. Things would be more organized and cleaner,” Yormark says. “Auditors should go out with a day’s notice or no notice and ask some questions. They will see things they’ve probably never seen before.”

Working With Others

When an auditor visits a site, Yormark says, he or she should take the opportunity to talk with all sorts of people: security guards, loading dock workers, administrative assistants. You may not learn much the first time, he says, but if you see them and speak with them over time, they may report something of interest. And to further encourage employee participation in monitoring activities for fraud, companies should establish hotlines for them to call.

External auditors expect a company’s audit committee to be involved in and aware of a company’s fraud prevention practices, Getrost says. And while external auditors primarily focus on financial reporting fraud, that opens up the door for management to increase its communications with the committee regarding all types of potential fraud. The committee, in turn, can make inquires of internal audit about its assessment of anti-fraud activities.

External auditors also are interested in process-related controls, such as demonstrating tight access over key applications, Getrost says.

After Disaster

If fraud occurs, companies need to be keenly aware of the importance of forensic techniques for collecting and documenting information, says Heriot Prentice, director of technology practices at the IIA. “One of the biggest issues is knowing when to call in the experts,” Prentice says. “If you don’t collect information correctly, it won’t stand up in court.”


Corporate data has taken on tremendous value, and companies need to be able to correlate it and demonstrate how information was obtained and how it’s been used, says Michael Maloof, chief technology officer at TriGeo Network Security.

“Companies need to be aware of which data has the greatest value and who has access to it,” Maloof says. “Often, the volume of log data is too high to look at from a manual perspective, so companies should have the forensic capability to go back and search it.”

The IIA is developing a research paper along with the American Institute of Certified Public Accountants and the Association of Certified Fraud Examiners on corporate anti-fraud programs, which should be released to the public for review this month, Richards says. The group also will hold a Webcast on the topic on Nov. 13.

With fraud at the core of high-profile scandals in the last decade such as Enron, Richards adds: “Organizations need to be proactive in identifying their vulnerabilities to certain types of fraudulent schemes, and identify what they can do to mitigate and prevent it.”