The Importance of Internal Controls to Reduce the Risk of Corporate Fraud

Fraud risks within companies are not something new. For years, companies have found themselves susceptible to fraud, falling victim on many occasions. While fraudulent behavior can occur at all levels of the organization, more than half of occupational frauds occur in (1) operations, (2) accounting, (3) executive/upper management, and (4) sales[1]. For this reason, it is important to maintain a strong internal control environment at all levels of the organization and, most importantly, good governance and “tone at the top.”

With globalization, companies are forced to expand rapidly and often into international markets that boast different fraud perceptions. This often results in an inconsistent control environment across the company. Mid-size companies find themselves expanding to overseas markets, often with a higher perceived risk of fraud, taking risks to succeed in business while failing to comply with local and global laws. Along with business growth and a focus on business operations, internal controls must be developed with compliance in mind for local Acts and adherence to the Foreign Corrupt Practices Act (USA), Corruption of Foreign Public Officials Act (Canada), among others.

It is estimated by the ACFE that an organization will lose 5% of revenue to fraud every year, where the median loss per case is USD 125,000, and the average loss per case is USD 1,509,000. Furthermore, as cited within the report, a lack of internal controls contributed to nearly 1/3 of all company frauds.[2] Aside from the financial impact produced by fraud, the real harm to the organization is a result of management’s distraction leading to a loss of trust in the workplace.

With a ‘no fraud tolerance’ attitude, the need for external assurance providers, such as internal audit consultants, has become too pressing to ignore. According to a published document, “Good governance principles demand that an organization’s board of directors, or equivalent oversight body, ensure overall high ethical behavior in the organization… The board’s role is critically important because historically most major frauds are perpetrated by senior management in collusion with other employees.”[3] The Board and Senior Management may be held responsible for employee’s actions. Employees’ responsibilities are to follow the controls and policies, but the Board is responsible for approving the policy and procedure framework. The Board establishes a risk committee, which reports to the Board on the internal compliance or non-compliance with controls and policies. Furthermore, good corporate governance policies often provide for the engagement of third-party internal audit consultants once or twice a year to evaluate the control effectiveness.

For organizations of all sizes, it is also important to consider the Three Lines Model (formerly known as the Three Lines of Defense), where the Board, management and internal auditors work to improve the organization’s value and the role of the third-party internal audit consultant becomes key for further assurance. Under this model, the Board is accountable to stakeholders for organizational oversight, through first line roles, management leads and directs action to achieve organization objectives, through first line and second line roles, and internal audit provides independent assurance, through its third line role.[4] The effectiveness of this model is further enhanced through constant communication between the key roles of the organization as well alignment and collaboration between management and internal audit. Third-party internal audit consultants become invaluable since they offer expertise, experience and resource capabilities that supplement the organization’s current internal audit team.

The internal audit function comprises of various procedures and processes, including, but not limited to, risk assessments, control assessment and mapping, audit planning, risk governance, and root-cause analysis. These activities assist the company with its internal controls to maintain organizational value. The most important step in the process is facilitating a risk assessment, where internal processes are mapped out, and risks throughout the organization are identified and prioritized. Herein, controls that are currently in place are identified and improved based on best practices.

Risk assessments done by an external subject matter specialist outside the business unit provides independent objectivity with internal bias and subjectivity avoided. Once priority risks are identified and controls are mapped, recommendations are made concerning any identified gaps in the controls to provide for improvement opportunities. When internal policies, procedures, and controls are implemented and fraud is still a problem, the cause may be rooted in the operations. To solve this, improving the implementation and communication of the controls is needed. Several tools such as surveys and fraud awareness training can be implemented, which serves to close the gaps. All this will be reviewed by the third-party internal audit consultant.

Along with effective risk assessment, effective governance processes are needed. “Effective governance processes are the foundation of fraud risk management. Lack of effective corporate governance seriously undermines any fraud risk management program. The organization’s overall tone at the top sets the standard regarding its tolerance of fraud.[5]” Good governance and training go hand in hand with training becoming part of good governance.

Fraud awareness training is important. Organizations with fraud awareness training for employees were more likely to gather tips through formal reporting mechanisms – 56% of tips with training and 37% without training.[6]

With professional external parties assisting with the overall internal fraud risk management and processes, risks within the organization can be mitigated, and the following principles ensured:

  •  Suitable fraud risk management oversight and expectations exist (governance)
  •  Fraud exposures are identified and evaluated (risk assessment)
  •  Appropriate processes and procedures are in place to manage these exposures (prevention and detection)
  •  Fraud allegations are addressed, and appropriate corrective action is taken promptly (investigation and corrective action)[7]

Further compounding this need for  third-party internal audit consultants, the IIA’s Definition of Internal Auditing states, “Internal auditing helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes… Internal auditing provides assurance to the board and to management that the controls they have in place are appropriate…[8] Based on my experience, there is no better way to achieve this than with an active internal audit staff complemented with talented third-party internal audit consultants.


[1] ACFE Report to the Nations, 2020.
[2] ACFE Report to the Nations, 2020.
[3] Managing the Business Risk of Fraud: A Practical Guide.
[5] Managing the Business Risk of Fraud: A Practical Guide.
[6] ACFE Report to the Nations, 2020.