Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


Trust but verify: Internal controls keep you alert to fraud

Aug 28, 2020

Trust is a great quality. To trust is to believe the best in people. And yet, to trust someone is also to take a risk. 

The Association of Certified Fraud Examiners estimates that businesses lose 5% of their revenue to employee fraud each year. And small businesses are the most susceptible. Billing and payroll fraud are 2x higher in small businesses, while check and payment tampering is 4x higher. 

And according to a report by insurance company Hiscox, it’s usually not your new hires who are to blame. On average, an embezzler has been working for the company they steal from for eight years. 

Of course, we only want to hire trustworthy people. But even the most well-meaning employees make errors, and certain items slip through the cracks and could go unnoticed if review and verification methods are not in place.

Detect, deter and verify

Segregation of duties, checks and balances, a second set of eyes — these are basic rules of fraud prevention. Implementing internal controls, like the eight examples listed below, ensure that you’re just not relying on your employees, you’re also verifying the work that is completed.

1. Review accounts payable 

Purchasing should be separate from accounts payable, and the person who generates checks should not be the same person who signs them. For verification, have someone outside the AP process review the check run report and compare to approved invoices. Review payments and credit card statements to verify vendors are recognizable and expenses are related to the business. Spot check to verify internal approval processes were followed.  

2. Evaluate accounts receivable 

Here again, receipt and deposit functions should be separate from record keeping. Ideally, we want different people posting entries and reconciling the accounts. 

For example, if your organization receives paper checks, one person could stamp those checks “for deposit only” and record those checks on a log before turning them over to someone responsible for deposits. Then someone outside the AR function can reconcile deposits against the incoming check log. 

3. Assess payroll changes 

Every pay period, review the payroll change report to verify the validity of changes from the prior pay period. This is especially important if you only have one person who is responsible for changing individual deductions and payrates. 

4. Mandate vacations

Some organizations require individuals in a money-moving role (e.g., payroll, accounting) to take five consecutive days off in a calendar year. If employees are embezzling, they won’t want to give up control of the accounts for a full week. This creates an opportunity for their backup to discover discrepancies as they pick up their colleague’s duties. 

5. Manage vendors

Vendor-related fraud can come from bad actors at the vendor itself or from employees inside your organization. Internal employees may create a fake vendor and direct payments to themselves. Alternately, fraudsters may manipulate a legitimate vendor account, causing double payment on an invoice and diverting payment.

Vendor due diligence can help detect this type of fraud. Periodically verify vendors exist and that their tax ID number and contact information is correct. Here again, have someone outside the vendor setup process approving new vendors is in your best interest.   

6. Conduct surprise audits

Protect your business by conducting covert tests and unannounced audits. For example, you might put a duplicate invoice through the system to see if someone catches it. If you collect cash, conduct surprise cash counts. If discrepancies occur, further reviews are in order. 

7. Analyze data

Accounting systems can help detect fraud by analyzing data trends and establishing norms for company transactions. When something happens outside these benchmarks, triggers can help alert leaders to anomalies and other patterns that could indicate fraud (e.g., vendor invoice numbers out of sequence, payments for a duplicate amount, payments made by manual check, etc.) 

8. Perform outside audits

Outside consultants, such as Wipfli, offer process testing and accounting reviews to examine your organization’s financial records, uncover discrepancies and provide recommendations for greater security going forward. 

Are you verifying your internal controls?

You can use internal control monitoring logs and checklists to verify that checks and balances are occurring on a regular basis. Some organizations may use software and workflow technology to document the review process and employee signoffs. These tools help keep everyone accountable and on task and can include alerts to flag team members when a review task needs to be completed. Other organizations may rely on a more manual process using spreadsheets to track reviews and approvals. 

No matter how you track it, your internal checks and balances should be reviewed on a regular basis to 1) verify controls are working at itennded and 2) to keep your fraud controls current as the business changes. 

Bring in outside eyes for fraud prevention

According to the Hiscox study, 79% of embezzlement cases involved more than one perpetrator. Fraudsters often recruit like-minded peers to expand their schemes. So one of the best ways to check for fraud is to bring in a certified fraud examiner or certified public accountant who specializes in independent testing and verification

Testing verifies that internal controls are being followed. What’s more, it sends a message to employees that you’re watching company financials. While the controls we’ve listed above typically find fraud after the fact, the likelihood of getting caught can be an effective deterrent to would-be fraudsters.

Learn more about our services:


Claire M. Jarchow, CPA, CIA
Senior Manager, Internal Audit
View Profile