Combat rising fraud with strong internal controls

Wipfli logo

By: David G. Friedman, CPA, CFE, CFF, CICA; Partner at Wipfli LLP

Speed was imperative when the U.S. government issued its first round of Payroll Protection Program (PPP) loans. The intent was to get money into companies, fast, to keep them afloat.

So, it’s no surprise that fraud surrounding PPP loans is astronomical. By some estimates $3 to $5 billion of relief money was lost to fraud and cyberattacks are up between 800 and 4,000%. The Association of Certified Fraud Examiners expects fraud to rise in the wake of the COVID-19 pandemic, reaching (or exceeding) levels last seen during the 2008-2009 recession.

Organizations with weak internal controls are at greater risk of fraud, loss and even closure. Luckily, they can batten down the hatches with internal controls.

Internal controls are sets of rules and procedures that promote accountability and maintain the integrity of your financial and accounting information. Internal controls can be simple and inexpensive, like designating appropriate signature authorities on accounts or providing training. Cumulatively, and used consistently, they build a strong defense against fraudulent activity.

These eight actions can strengthen internal controls and significantly reduce fraud risk:

1. Segregate duties

It may seem like common sense that the person who’s in charge of AR shouldn’t be collecting cash — but it happens. Regardless of a company’s size (or whether staff are family members or seem extremely trustworthy), accounting processes need to be transparent and shared among team members.

If a bookkeeper has full check-writing authority, make sure a director or manager is reconciling the accounts each month. Require two approvals for payments or use bill pay software to help reduce fraud. Every payment leaving the company should be followed by an independent, smart, and diligent review process.

2. Leverage bill pay services

Bill pay services can help segregate duties or create multi-step authorization, even if a company is very small. Your financial institution (or a commercial service provider) can initiate payments based on the invoices you receive, alleviating a lot of paper shuffling. You retain the authority to approve or deny payments before they’re released, so the software creates a two-person (or two-entity) approval process for every check that’s issued.

3. Validate checks with positive pay

Positive pay is like multi-factor authentication, but fourfold. Every time a check is cut, your AP team sends the check information to the bank. The bank won’t allow the check to clear unless it can match the check date, amount, payee, and check number. And, the bank only allows each check to clear once. Positive pay is currently the best way to combat counterfeit checks.

4. Match your receipt style to the business

Companies can receive money through multiple channels; it’s best practice to match your receipt method to the ways you conduct business. For example, companies that typically receive a handful of very large checks each month should require ACH payments. That way, money is deposited directly into an account and there aren’t large checks moving through the office. A company that collects dozens of smaller value checks each month might use a lockbox instead. With a lockbox, deposits and copies of checks are recorded daily so they can be reconciled against the financial record. Regardless of what you choose, money movement should align with your business practices.

5. Limit credit card usage

One way to limit fraud is to reduce the number of people who have spending authority. If staff use company cars or frequently work from the road, consider issuing fleet cards rather than company credit cards. Fleet cards offer greater control over what can be spent and where. For example, purchases can be limited to gas, car washes and oil changes. Fleet cards reduce the opportunity for fraud or misappropriated spending, which can add up — even a soda or a snack at a time.

6. Establish cyber protocols

With the pandemic, remote work skyrocketed. So did the opportunities for fraudsters and scammers since cybersecurity can be harder to manage from a distance. Whenever employees log in to see financial information, their connection should be secure (ideally through your company’s virtual private network). Phones or tablets can introduce additional vulnerabilities, so create and communicate strict policies about which types of devices can be used and for specific tasks.

Scammers can create legitimate-looking messages and invoices, and they create a sense of urgency to fool people into making mistakes. Make sure staff clearly understand your procedures — and how they do or don’t change when you’re working remotely. The best cybersecurity tools will fail if people don’t follow the appropriate procedures.

7. Require ethics training 

Employees could be giving away products, services, or time because a policy against it doesn’t exist. Or maybe “the way it’s always been done” disagrees with company policy. These circumstances can lead to unintentional fraud — and significant losses. 

The accounting department should deliver ethics training, at least annually, to eliminate any question about what’s allowed and expected. Use real-life examples or teachable moments from the business to connect the material to employees’ day-to-day work. Ethics training should also address how employees should respond if inappropriate behavior is suspected.

8. Turn on your tools

Most companies rely on software to manage some or all of their financial business. If your accounting package offers an audit trail, fraud alerts or other security features, turn them on.

Software controls can help you find fraud that might otherwise be hidden. Are you exchanging money with inactive clients or vendors? Are vendors frequently activated or deactivated? Who is making changes to the financial record, when and why? Software tools can provide time- and date-stamped records of your financial activity and strengthen your internal controls against fraud.

How to assess your internal controls

Certified fraud examiners can help you identify potential risks and their likelihood of occurring, pinpoint areas of the business that are most vulnerable, and evaluate current fraud controls. The first step is to look for common signals (or opportunities) for fraud.

Look for red flags

Your management team, bank or fraud examiner can help you spot suspicious behaviors, such as:


  • Employees who don’t take vacation or accept help
  • Employees who seem to be living beyond their means
  • Rapid turnover
  • An accounting department that is dominated by one individual

Financial activity

  • A large number of bank accounts or frequent changes to your banking accounts
  • An excessive number of AR write-offs
  • Cash flow issues (e.g., sales or other business metrics are up, yet there’s no cash or checks are bouncing)

Financial reporting

  • Messy or disorganized financial statements or bookkeeping processes
  • Unexplainable reports or adjustments, or an excessive number of adjusted entries
  • Supporting documentation that doesn’t match your financial statements (e.g., AR or AP)
  • Financial statement or audit delays, reluctance to get information to the audit team or an inability to answer reasonable questions

Test your internal controls

Internal controls only minimize the opportunity for fraud when they’re designed and executed properly. To ensure internal controls are working, you have to test them. Fraud check-ups should be completed regularly, regardless of any national health crisis.

Take these actions to determine whether effective controls are in place:

  • Verify where company mail is going and who has access to it
  • Review payroll lists – look for duplicate names and for staff that are missing Social Security numbers
  • Print and review your vendor list; look for similar or duplicate vendor names, and compare the list with recent activity reports in your accounting system
  • Review every bank statement and credit card bill
  • Intermittently request AP reports

Limit your losses

Desperate times call for desperate measures. Your accounting department can’t change the amount of pressure employees are facing outside work or how they may rationalize skimming “just a little.” You can control the opportunity.

How Wipfli can help

Strong internal controls reduce the opportunities for financial crime to occur — and build healthier financial foundations.  Need help strengthening your internal controls? Wipfli can help. Learn about our fraud and forensic services, or continue reading on:

If you would like to receive articles like these directly to your inbox, sign up here.