Strong internal controls can help minimize losses

ARTICLE | July 16, 2021

Authored by RSM US LLP

Even the most dependable employee—given the right motivation, opportunity and rationale—can be tempted to take funds from an employer.

The multimillion dollar construction project was so large, it had its own accounting department. This system appeared to work until the 18-month project was completed and the owners found that a number of line items had gone over budget. This prompted an internal investigation to understand where things had gone wrong.

Red flags were raised when a thorough examination found that, while invoices had been paid, some checks were missing from the project files. The company’s bank provided copies of the checks, which revealed that a number of double payments had been made. Many of the accounting functions associated with the project were performed by the project controller. The checks—which had been prepared manually—had been altered by the project controller and deposited into his own account.

As outrageous as it sounds, this problem is not uncommon for construction companies. According to a 2020 Association of Certified Fraud Examiners (ACFE) report, billing and payment fraud combined account for nearly 39 percent of reported incidents victimizing construction companies; for the industry, these types of schemes are second only to corruption. Yet many small and midsize construction companies do not have the internal controls in place to prevent, detect and respond to such events.

The result can be catastrophic, especially for companies running on thin margins. The median loss for all cases in the ACFE study was $200,000; nearly one-quarter lost $1 million or more. There are, however, a number of steps that companies can take to help avoid unintended losses that results from error or outright fraud.

Trust but verify

It is not enough to hire trustworthy people. Humans can make mistakes; errors as simple as the misapplication of costs, improper cost tracking or simple omissions can lead to lost profits. Even the most dependable employee—given the right motivation, opportunity and rationale—can be tempted to take funds from an employer.

In fact, the ACFE noted that companies with strong internal controls reported median losses that were 54 percent lower than peers without those detection tools, while detecting fraudulent activity twice as fast.

The key is to support qualified employees with internal controls that mitigate the risk of error or fraud. For example, any time an offline, manual process is introduced—using a spreadsheet for calculations, for example—errors can occur. This can make companies vulnerable. While automation may not always prevent loss, it can help avoid human error.

On the other hand, a simple adjustment could have prevented the controller in the scenario above from the opportunity to defraud the company. Rather than have one person prepare and send the checks, segregating these duties among more than one person could have prevented the loss of millions of dollars.

Consistent themes and COVID-19 impact

Leading up to the pandemic, the ACFE identified that the following fraud trends have been constant:

• Organizations continue to lose about 5% of revenue to fraud each year
• Asset misappropriation is the most commonly identified scheme
• Tips are the best method of detection
• The longer fraud goes unchecked, the higher the median loss

With COVID-19, fraud continues to increase.  While cyber fraud has become the biggest threat, companies indicated that the coronavirus has made it even more difficult to prevent, detect and investigate all types of fraud.  Travel restrictions, working remotely and a lack of access to evidence exacerbate the consistent themes noted above.  Anti-fraud professionals indicate that a remote workforce has led to challenges with oversight, interviews and changes in controls.

What companies can do

Here are some steps that construction companies can take to reduce the impact of error and fraud:

• Establish internal controls: Active controls that seek out fraud can significantly limit the losses incurred through illegal activity. Controls include a range of activities, from surveillance and monitoring to internal audits and management reviews.
  • When selecting contractors through a non-competitive bidding process, use an evaluation committee with objective members.
  • Segregate duties to ensure that access to sensitive information or the level of approval authority is limited, as appropriate.
  • Delegate more oversight to a board audit committee, which can flag and address any potential override activity. Among reported frauds, 20 percent involved overrides of existing internal controls. This can be an especially challenging for small and midsize companies, since fraud typically involves a senior leader with the ability to work around these checkpoints.
• Enforce controls: The most effective way to minimize fraud losses is to prevent them from occurring in the first place. An anti-fraud culture means communicating the importance of prevention, enforcing the procedures, and providing the support and training needed to do so.
• Audit contractors throughout a project: Management should make sure all negotiated costs and contracts include a right-to-audit clause, enabling the construction company to conduct an on-site examination of the vendor’s books and records in case fraud or a violation of policy has occurred. Internal audits should be conducted by experienced members of the internal audit staff or outsourced to auditors with experience in construction audits.
• Set up a hotline: Although a somewhat passive approach, tips gathered through a hotline or similar method can have a substantial impact on fraud detection. While effective, a hotline should only be part of a comprehensive internal controls approach.
• Test the system: When a construction company has implemented its internal control system, management should consider testing it for possible holes. In addition to an external audit of controls and financial reporting, if a company suspects or becomes aware of potential fraudulent activity, management should consider launching an internal investigation or hiring an outside firm to handle the task. Tests should be performed annually and not taken lightly.
• Continuously adapt and update controls for the remote environment:   It is imperative for all companies to view fraud prevention as an iterative process.  Monitor changes in personnel, procedures and most importantly fraud risks.  Adjust controls accordingly to address an ever-changing environment, even beyond the current pandemic.

Internal controls cannot eliminate errors or fraud entirely; anti-fraud controls significantly lower losses and speed up detection but do not always prevent fraud from occurring. The ACFE study noted, however, that the most prominent organizational weakness contributing to fraudulent activity was the lack of internal controls. And whenever humans are involved, errors will always occur. With financial and reputational risks at stake, construction company stakeholders will want to do everything they can to minimize those risks.