Reducing Risk: Why internal controls don't always prevent fraud--and what governments can do about it.

• Author: Ross, David M.

Do you fully understand the level of risk your organization faces? More governments are facing events like theft of cash, theft of fuel, ransomware attacks, successful spear phishing schemes, ACH vendor payment frauds, expense reimbursement schemes, purchasing and fraudulent return schemes, theft of inventory ... It's a long and worrisome list, and many of the recent local government fraud and embezzlement cases are for tens of thousands, hundreds of thousands, or even millions of dollars.

This may be more of a senior management issue than we would like to believe. The lack of ethical decisionmaking on the part of the person committing the fraud is obviously the primary factor in these cases, but there's a problem when senior management believe their organization is well-protected without really knowing its vulnerabilities.

Not just a finance concern

Fraud and embezzlement incidents have occurred in numerous departments and are often perpetrated by long-time employees, in organizations with regular annual audits and established policies that "must be working" because the audits are "clean." Fraud can occur and go undetected over a period of years--or even decades. When these cases come to light, the reputational harm they cause the organization can be worse than the financial hit. Exhibit 1 highlights the financial and reputational harm that can come from an incident happening in your organization with quotes from news articles. (The incidents shown aren't recent, out of respect for the governments that have dealt with similar situations over the past few years.)

Do you believe everything is okay?

Local government organizations receive regular annual audits. They have established policies to protect against wrongdoing. They have trusted longtime employees. Fraud has never been found in the organization. So, managers believe that everything must be okay.

In general, we have a strong desire to believe that things are okay. We may also suffer from a touch of head-in-the-sand syndrome at times because we are busy and do not necessarily want to think about fraud, because the audit is "clean." And, of course, there are many other reasons.

But imagine for a moment that fraud is happening in your organization, or could happen soon, because of weaknesses in the control environment of which you are not aware. You honestly believe things are okay, but hundreds of managers are wrong about this every year. It is very possible that the reason fraud has...