Internal Controls for Fraud Prevention

(1)

Internal Controls for Fraud

Prevention

Master thesis

MSc BA – Management Accounting and Control

Abstract:

This research focuses on how the financial function assesses fraud and implements preventive internal controls to prevent fraud from occurring. This research found that the financial function do assess fraud as a risk, but it has not yet been determined how much risk appetite organisations have

for fraud. Furthermore, a majority of organisations use a combination of preventive and detective techniques. This research additionally found that organisations put much effort into their internal control systems but do not monitor the effectiveness of the internal controls as frequently as they

should.

Keywords: fraud prevention, fraud detection, internal control.

Mark Hogenberk S2778955

M.hogenberk@student.rug.nl

Supervisors: Dr K. Linke Co-assessor: Prof. Dr I.J.J. Burgers

Date: 05-07-2020

(2)

2

1. Introduction

In 2019, Fagron, a pharmaceutical company, announced a financial fraud of €1.6 million. The main suspect of the fraud was one of company‘s controllers, the head of the financial department. His wife, the head of purchasing at Fagron, was additionally dismissed, presumably due to the financial fraud (Smit, 2019). This is one example that illustrates a finding from the Association of Certified Fraud Examiners (ACFE) that 24% of occupational fraud is conducted in companies with more than 10.000 employees. The report additionally states that 16% of all cases are committed at government institutions (Dorris, 2018). The fact that this kind of financial fraud continues to be possible at firms, particularly at large, publicly-traded companies and government institutions indicates that fraud prevention measures do not effectively work. It raises questions about how financial personnel, such as controllers, assess financial fraud and attempt to prevent financial fraud from happening.

In order to delve deeper into financial fraud and what is known about it, the fraud triangle will be discussed. The model was first developed by Cressey (1953) when conducting research on why individuals who were in positions of financial trust committed fraud (Schuessler, 1954). The model examines three distinct components: financial pressure, opportunity and rationalisation. In order for fraud to be committed, all three factors have to be present; thus, in order to minimise the risk of fraud, an organisation has to remove one of these three factors (Loebbecke, 1989; Riney, 2018). The opportunity factor states that someone has to have an opportunity to commit fraud, and internal controls can ensure that this opportunity is removed, thus preventing fraud from happening (Cascarino, 2013). For instance, the employee theft discussed in the first paragraph was committed by a person within the organisation in a position of power. Using internal controls would have made it more difficult for this person to divert company assets to himself. One can think of internal controls, such as the segregation of duties, that were lacking in the example company due to his wife’s role. Another internal control that could have prevented the theft would be ongoing monitoring and auditing (Cascarino, 2013).

(5)

5 proper implementation of this internal control framework, the internal controls should improve and remove one of the factors of the fraud triangle.

When all of these internal controls are put into place, it would make it more difficult, if not impossible, to commit fraud. However, fraud still occurs. How can this be? Cascarino (2013, p. 147) has used an example of a control measure to demonstrate the issue with the effectiveness of internal controls. He states that a lock was put on the door, which appears to be a sound control. However, one has to ask what the objective is of the control. Is it to keep people in? Is it to keep people out? Is it a normal door, or is it an emergency exit? No single control is effective when the source of what should be controlled is unknown. Essentially, internal controls should be made for specific targets and tested on whether the control measure works as intended on said target. This additionally means that there is no universally ideal control system. The desired and necessary controls differ from organisation to organisation. This makes it difficult for the financial function to properly implement effective internal controls, which in turn leads to weaknesses in fraud prevention. This then raises the following research question:

How does the financial function assess occupational fraud and implements preventive internal controls?

In order to answer this research question, a qualitative study was done. A qualitative study is considered useful when researching a how relationship (Eisenhardt, 1989). Interviews were conducted with 10 individuals working at nine different organisations. These organisations differed in size and domain. The interviewees all occupied a financial position. However, they differed in hierarchy within their respective organisations.

The main contribution of this study is to provide insight into how the financial function assesses fraud as well as how these functions provide preventive internal controls to combat fraud. By gaining insight into this, academia may further understand the practical implications of internal controls and thus develop new theories that more ideally fit with these practical implications. Another contribution is that this research shows the shortcomings of currently used internal control frameworks by practitioners.

(6)

6

2. Theoretical Framework

This theoretical framework aims to explain the fraud triangle and internal controls. Firstly, fraud is defined, after which the fraud triangle is analysed to understand what motivates someone to commit fraud and how internal controls interfere with the components of the fraud triangle. The third part elaborates on what an ideal internal control system looks like and how this helps to prevent fraud. This paragraph is subdivided into seven subparagraphs, the first covering the COSO system itself, the second covering the objectives and the last five covering the different parts of the COSO components. The final paragraph shows a conceptual model of the logic behind this theoretical framework.

2.1 Occupational Fraud

There are many different forms of fraud, which all fall under the label of white-collar crime. White-collar crime is defined as follows: ‘a generic term for the whole range of illegal, prohibited, and demonstrably harmful activities involving a violation of a private or public trust, committed by institutions and individuals occupying a legitimate, respectable status, and directed toward financial advantage or the maintenance’ (Rorie, 2020, p.27). When someone commits white-collar crime, it can be either for personal enrichment or for the enrichment of the organisation. An example of fraud that, in the short term, benefits the organisation is false revenue recognition that could increase the share price of the organisation. An important distinction between occupational fraud and white-collar crime is that the latter is an umbrella term for all kinds of fraud. Occupational fraud is more focused on the enrichment of the perpetrator himself and can only be done by a person, not by an organisation. This research focuses on occupational fraud. An important aspect of occupational fraud is that the organisation is not aware of it; an example of this is the embezzlement of funds. Occupational fraud is defined as ‘the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the organisation’s resources or assets’ (Wells, 2018, p.8).

This study focuses on occupational fraud due to the impact that occupational fraud has on organisations. The ACFE (2018) estimates that, on average, about 5% of an organisation’s annual revenue is lost due to occupational fraud. This makes occupational fraud a significant cost for organisations. When organisations can prevent fraud from happening or recover lost funds, these funds can be reinvested into the development of new products or lowering the price of their products.

(7)

7 prevention ensures that these losses do not occur in the first place. Occupational fraud is referred to as fraud for the remainder of this study.

2.2 Fraud Triangle

In order to understand how fraud can be prevented, it is important to understand the potential causes for fraud. The fraud triangle accomplishes this. This model was first developed by Cressey (1953) when conducting research on why individuals who were in positions of financial trust committed fraud (Schuessler, 1954). The model examines three distinct components: financial pressure, opportunity and rationalisation. For fraud to occur, all three variables of the fraud triangle must be present (Loebbecke, 1989; Riney, 2018). Therefore, if one of the three components of the fraud triangle is removed, it is less likely that fraud will be committed.

Financial pressure drives individuals to commit fraud; this could be a certain incentive or motivation, for example (Huang et al., 2017). A key aspect of financial pressure is that it is not shared but is solely carried by the individual with the problem. As this problem is not shareable, it sufficiently motivates someone to behave with malicious intent in order to resolve his or her problem (Cressey, 1953). This financial pressure can be categorised into two main categories, namely financial pressure and non-financial pressure (Lokanan, 2015; Dellaportas, 2013). Examples of non-financial pressure are pressure from family or pressure from revenge (Naruedomkul et al., 2010; Doxey, 2019). For instance, Naruedomkul et al. (2010) found that a desire by the perpetrator’s family for success could be an important pressure to commit occupational fraud. Pressure can be mitigated through the proper screening of employees. One could consider checks to see if a potential employee has addiction problems, which can lead to financial issues and thus motivate the employee to commit fraud. Another possibility is screening potential employees for large amounts of debt, as this could be motivation to commit fraud as well.

(8)

8 potential punishment is higher. Furthermore, ensuring competence among employees is an important aspect of human resources and thus internal control (Moeller, 2013). When an employee who carries out control activities is not competent at his or her job, gaps may emerge in the internal control system. These gaps could provide an opportunity for potential perpetrators to commit fraud.

The final component is rationalisation, where a perpetrator rationalises his or her fraudulent behaviour to be consistent with his or her personal code of ethics (Suyanto, 2009). In practice, a rationalisation could be a perpetrator rationalising the fraud by convincing him or herself that the money will be paid back, thus causing no harm to be done. Furthermore, Apostolou et al. (2001) have found that influence over the control environment is an important factor when it comes to the potential for fraud. They additionally mention that this is a determinant of rationalisation. The rationalisation aspect of the fraud triangle can be mitigated via the use of internal controls. The creation of ethical consciousness among managers and employees through clear and unambiguous policies and procedures can mitigate rationalisation. When this is done properly, it is more difficult for an individual to rationalise their fraudulent behaviour as it becomes more difficult to rationalise via their personal code of ethics. Conclusively, all three components can be mitigated through the use of internal controls.

2.3 COSO 2013 Framework for Internal Control

The previous paragraph demonstrates that an ideal internal control system can be used to prevent fraud. This paragraph aims to explain what ideal internal controls are and delve deeper into how these can function to prevent fraud. An internal control is defined by COSO (2013, p11) as ‘a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance’.

2.3.1 The Framework

The COSO 2013 Framework for Internal Control (COSO IC) is a framework that provides guidance for essential components that are needed for a sound internal control system. Previously, the COSO 1992 Framework for Internal Control was the most used internal control framework for companies (Dickins and Fay, 2013). However, in 2013, the Treadway Commission updated the system to include changes in operating environments, expand on operations and reporting objectives and include 17 principles. The framework developed in 2013 is used throughout this research, as it is an updated and more comprehensive version of the framework.

(9)

9 step is that these internal controls are set-out among different organisational levels. If an organisation designs its internal control in line with this framework, the internal control system should cover the necessary elements.

The three categories of objectives allow organisations to differentiate the goals of internal controls among different aspects such as operations, reporting and compliance. Operational objectives are focused on organisational operations, such as effectiveness and efficiency. Objectives related to reporting are objectives focused on both internal and external reporting, such as reliability and timeliness. Compliance objectives focus on compliance laws and regulations.

Furthermore, the internal controls that are set within the objectives should additionally span the spectrum of components. There are five components: the control environment, risk assessment, control activities, information and communication, and monitoring activities. The control environment refers to the environment in which the internal controls are conducted. These are, for instance, standards, processes and culture. Risk assessment relates to identifying and assessing risks that could threaten the achievement of the objectives. Control activities relate to the actions done, via policies and procedures, on behalf of internal control and done to achieve the set objectives. Information and communication relate to the proper use of information and having the correct information to carry out the objectives of the internal controls. Communication relates to sharing the acquired information in the correct way for the use of internal controls. Monitoring activities relate to the ongoing evaluation of the five components, which ensures that the internal controls work properly to achieve the objectives. As a final step, these internal controls are implemented among different organisational levels (COSO, 2013). The COSO IC is, therefore, a framework that could improve the effectiveness of the internal control system and thus prevent fraud.

2.3.2 Objectives

(10)

10 to Byington and Christensen (2005), this means that there needs to be a statement describing management’s responsibility for an adequate internal control system, an explanation of the framework for the internal control system, a statement of effectiveness of this system and the auditor’s agreement on this (Sarbanes-Oxley Act of 2002, section 404).

Each organisation has a different internal control system; therefore, it is imperative that this system fit the company (Cascarino, 2013). For instance, Casacrino (2013) has argued that putting a lock on a door can seem to be an ideal control measure. However, that depends on the context, as argued in this paper’s introduction The objective of a control measure is important to assess its effectiveness. Another aspect is that if one places a lock on the door, who is given the key? If only the CEO has the key to the locked door, it is safe. However, if the door is used throughout the day by all personnel, then, from an operational point of view, it is not efficient. Therefore, it is crucial to have clear and unambiguous objectives for the internal control system. If these objectives are not present or not fully understood, this can leave gaps in the internal control framework and thus create an opportunity to commit fraud.

2.3.3 Control Environment

The control environment refers to the environment in which the internal controls exist. These are, for instance, standards, processes and culture. Zack (2013) has argued that the control environment is a representation of the control consciousness that an organisation has. An aspect of this is referred to as the tone at the top. This environment provides the foundation for the internal control system. It influences each of the three internal control objectives, namely operations, reporting and compliance (Rubino et al., 2017). The control environment is thus a set of aspects, among which are the integrity of the employees and the organisation, the ethical values, the culture in the organisation, the management philosophy and the existence of policies and procedures (Graham, 2015; Rubino et al., 2017). In short, the control environment is the business culture, the ethical consciousness of the managers and the organisation’s policies.

(11)

11 particularly in matters of integrity and ethics. The ethical consciousness can be enhanced via the use of a code of conduct or an employee handbook, which provides clear and unambiguous guidelines on how an employee should act and what is and what is not acceptable behaviour (Kasey et al., 2014). However, Jung-Gehling and Strauss (2018) have argued that organisational control measures can restrain the autonomy that employees have and lower employee motivation. This implies that the guidelines should be made in a way that allows employees to keep a feeling of autonomy.

Fourie and Ackermann (2013) argue that the chief executive officer (CEO) of an organisation has the final responsibility for the internal control system and that it is his or her job to create a top-down environment in which the internal control system is seen by all employees as integral to the achievement of organisational objectives. Moeller (2013) argues that it is important for the board of directors to exercise independent oversight of the development and performance of internal controls. When a board of directors does this, it is important for them to look at the way the CEO has implemented the top-down environment.

Moeller (2013) additionally argues that it is important for the control environment to have clear policies and procedures for human resources. An aspect of this could be a criminal background check to see whether a potential employee, who might work in a position of financial trust, is ethical. This has two important aspects, the first being that ensuring new employees are ethical increases the ethical consciousness of the organisation. The second is that someone who has shown unethical behaviour may have a different code of ethics than that of the organisation. This can lead to interference with the rationalisation aspect of the fraud triangle. Another consideration for human resources is ensuring competence (Moeller, 2013). When someone responsible for internal controls or someone who exercises part of an internal control is not competent at their job, it can lead to gaps in the internal control system, which in turn, can lead to opportunities for an individual to commit fraudulent behaviour.

A final aspect of the control environment is the responsibility and accountability of employees. An aspect of an ideal control environment is that individuals who, either with or without malicious intent, incorrectly exercise internal controls be held accountable for their actions (Moeller, 2013). When an organisation does not do this, they create an environment in which it is deemed acceptable to exercise internal controls incorrectly. This can lead to both an opportunity to commit fraud, as the internal controls are not exercised properly, and to rationalisation. A potential wrongdoer may argue that if the organisation does not care that much about a certain aspect, then neither should he or she.

2.3.4 Risk Assessment

(12)

12 compliance. An important aspect of the risk assessment is for the organisation to clearly and unambiguously specify the objectives. These objectives are then analysed to see where there is a potential risk. Furthermore, the organisation should recognise and analyse changes within the organisation that could have an effect on the internal control system (Moeller, 2013). These changes

come with the risk of deranging the internal control system. For instance, when a process or procedure changes, the organisation should think about the impact this has on the internal control system.

Furthermore, an organisation should not only assess the risk of the achievement of the objectives and the impact this has on the internal control system but additionally assess the risk of potential fraud (Vona, 2008). When the risk of potential fraud is not considered when determining risks, an organisation has the hazard of leaving gaps in their internal control system. In turn, this can leave an opportunity for potential fraud. Thus, by mitigating all risks related to fraud, the opportunity aspect of the fraud triangle can be removed.

However, due to risk appetite, organisations see this risk of potential fraud differently. Some organisations may feel comfortable with risking a small amount of money due to fraud if it drastically improves their chances of achieving their operational, reporting or compliance objectives. This is not incorrect, but it is important for an organisation to thoroughly consider fraud risk and make an informed decision about being exposed to it (Vona, 2008).

2.3.5 Control Activities

Control activities relate to the actions done, via policies and procedures, on behalf of internal control and done to achieve the set objectives. The control activities are performed at all levels of the organisation and in different business units (Moeller, 2013). It is important for control activities to maintain separation between custody over assets and the accounting function. In other words, the responsibility for operations and reporting or controlling should be separated from each other (Fourie and Ackermann, 2013). Examples of control activities are the segregation of duties, authorisation of transactions, performance reviews, isolating accountability and proper access control. Access control is both physical and logical, such as the warehouse where the inventory is stored (Fourie and Ackermann, 2013)

(13)

13 triangle. This occurs as fraudulent behaviour then requires malicious intent from two individuals. This makes it more difficult to commit fraud and, hence, interferes with the opportunity aspect of the fraud triangle. Another example is a background check for employees. When an employee does not have a drug addiction or much debt, it is less likely for this individual to commit fraud. This interferes with the motivation factor of the fraud triangle (Lokanan, 2015; Dellaportas, 2012).

2.3.6 Information and Communication

Information relates to the proper use of information and having the correct information to carry out internal controls to achieve the objectives. The communication factor relates to sharing the acquired information in the correct way for the use of internal controls. In terms of information and communication, it is important for information to span across all dimensions within the organisation (Zahra, 1991; Hunziker, 2017). When this is not the case, it can result in misunderstandings between managers and controllers as to who does what. This could, in turn, lead to gaps in the internal control system. Therefore, communication and information are vital to the internal control system of an organisation (Hunziker, 2017). Fellner and Mitchel (1995) have argued that, for internal control communication, the way things are reported is important, including the knowledge of the organisation and knowledge of daily activities held by the accounting personnel.

Hooks et al. (1994) have stated that the added value of communication is that it requires openness, whereas fraud requires concealment. These two are contradictory and, hence, cannot co-exist. In other words, having an effective communication system and ensuring that the correct information arrives to the correct individuals can interfere with the opportunity factor of the fraud triangle. Furthermore, Hunziker (2017) has argued that ideal information and communication prevent gaps in the internal control system. These gaps in the internal control system can be abused by employees for fraudulent behaviour, as the gaps provide employees with the opportunity to commit fraud.

2.3.7 Monitoring Activities

Monitoring activities relate to the ongoing evaluation of the five components, to ensure that the internal controls work properly to achieve the objectives. The continuous monitoring of internal controls is an assessment of objectives. The current objectives should match with the desired objectives (Hunziker, 2017). Furthermore, this component is to ensure that the other four components properly function (Moeller, 2013). Examples of these activities include regular checks on deficiencies in internal control, analysing communication channels, reviewing the competency of the staff and periodic comparison of accounting records with physical assets (Hermanson et al., 2012).

(14)

14 objectives or due to the change of the internal control system itself. Furthermore, changes in staff, information systems, laws or business strategy may result in a need for change in the internal control system (Hunziker, 2017). Therefore, the internal control components should be analysed for possible deficiencies.

The chairman of COSO said in a press release that ‘there is a tremendous gap between the value good monitoring brings to a system of internal control and management’s understanding of that value’ (COSO, 2006). If this is not done regularly or properly, there may be gaps in the internal control system, of which the management of the organisation has no knowledge. This could result in an opportunity for fraudulent behaviour. Thus, by continuously monitoring the effectiveness of the internal control system, an organisation can remove the opportunity aspect of the fraud triangle.

2.4 Conceptual Model

This results in the following conceptual model demonstrating the fraud triangle as applied to COSO IC, which is interpreted by the financial function, which then applies these theories to prevent fraud.

(15)

15

3. Methodology

3.1 Research Design

In order to accomplish the goal of this research, a qualitative study was conducted. Qualitative research is concerned with interpretation and understanding (Eriksson & Kovalainen, 2008). The use of qualitative research is fitting when the research is aimed at understanding in what way a relationship works (Eisenhardt, 1989). As discussed previously, the aim of this research was to understand how the financial function, fraud risk and internal controls are related. Consequently, semi-structured interviews were conducted. These semi-structured interviews allowed the researcher to gather information about what internal control system was used, how it worked and how these financial personnel perceived both their internal control systems and the risk of fraud. At the beginning of the interview, the interviewees were asked for permission to record the interviews. In order to guarantee confidentiality, all words or phrases that were specific to a certain company were removed and replaced by other words. An example could be that a specific function was replaced by a more general description of the function. An example of phrases that were altered were highly detailed descriptions of certain aspects of the organisation. Several of the descriptions were detailed to the extent that the identity of the interviewed organisation could be readily discovered. A final precaution for anonymity was to send the anonymised transcript to the interviewee together with a list of all words and phrases that were replaced and ask whether the interviewee agreed on the anonymity. The questionnaire for the interviews can be found in Appendix 1. Finally, these interviews were conducted over the phone. This was done for practical reasons, as the Covid-19 pandemic resulted in organisations preferring to work from home and maintaining distance from other people.

3.2 Data Collection

(16)

16 Interviewing direct friends or family could make it more difficult to ask certain questions, as the interviewer could be fearful of damaging the relationship with the interviewee. Another selection criterion was that banks and other financial institutions were not interviewed. The reasoning behind this was that financial institutions had to adhere to strict anti-money laundering and anti-terrorism financing regulations. Because of these regulations, financial institutions would have sound control systems that could counter these types of fraud. Furthermore, these types of fraud were not researched during this study. Therefore, it was not relevant to interview financial institutions. The interviewees all possessed financial functions within their organisations. However, these financial functions differed in their hierarchical levels. Several of the interviewees were controllers. Several were chief financial officers (CFOs), and several were employees or managers in financial departments. The differences in these functions were chosen to demonstrate the standpoints of the financial function across the hierarchy within organisations. For instance, the CFO of an organisation could provide information on how fraud prevention and operational objectives were balanced, in other words, the economic cost of fraud, whilst a controller could provide information on how they performed the designed control measures. This increased the internal validity of the research. In total, 10 individuals were interviewed, which was one employee per organisation, with the exception of the third organisation, where two employees were interviewed. The different functions and organisations are outlined in Table 1.

Organisation Domain Sector Employees Function Time (min)

1 Private Engineering 80,000 Manager Control 31

2 Private Services 60 CFO 67

3 Public Government 65,000 Business Controller 64

3 Public Government 65,000 Manager Finance & Control 49

4 Private Wholesaler 500 CFO 36

5 Semi-Public Industrial & Services 1,600 Controller/Manager Operations 29

6 Semi-Public Healthcare 3,000 Manager Audit 44

7 Private Engineering 6,000 Project Controller 39

8 Semi-Public Healthcare 3,000 Employee Internal Control 29

9 Semi-Public Healthcare 600 Concern Controller 46

Table 1: Interviewed Organisations

3.3 Data Analysis

(17)

17 concepts, followed by second-order concepts, after which these are placed under their aggregate dimensions. The full list of codes used can be found in Table 2.

According to Swanborn (1996), three aspects are important for qualitative research. These are controllability, reliability and validity. These three aspects are important to determine the quality of the research. In terms of controllability, the research products are made public, are expressed in a precise language and are falsifiable. Finally, the research steps and procedures were documented. These were necessary to ensure controllability, which is a necessary feature of effective research (Swanborn, 1996). Unfortunately, reliability was one of the shortcomings of this research. The achievement of replicability is important for reliable research (Swanborn, 1996). Replicability can be

Aggregate Dimensions Second Order First Order

Objectives Set objectives Compliance

Operational Reporting Internal Control System Purpose ICS

Model ICS

Control Environment Ethical Consciousness/Culture Integrity Training

Environment Tipline

Background Check Debt/Addiction Problems CoC

Employees Accountability

Autonomy Responsibility

Risk Assessment Fraud Risk Economic Cost Fraud

Perceiving Fraud Prevention/Detection Fraud Examples

Other Risks Risk Mitigation

Risks

Clear Objectives

Control Activities Perceiving Activities Purpose Activities

Used Activities

Procedures Exceptions Procedures

Information and Communication Communication Open Communication

Effectiveness Communication

Information Incorrect Information

Information Used

Monitoring Activities Changes Changes in ICS

Monitoring Changes

Gaps Effectiveness ICS

(18)

(19)

19

4. Results

Within this chapter, the results of the interviews are analysed. This was done based on the COSO IC, which is discussed in the theoretical framework. Within the theoretical framework, the different components of the COSO IC are linked to the fraud triangle and how certain control measures interfere with the components of the fraud triangle. Therefore, if the discovered control measures were not sufficient, they would not interfere with the fraud triangle and create the possibility for fraud. At the end, a subparagraph is dedicated to the effect of Covid-19 on internal control.

4.1 Objectives

In the introduction and theoretical framework, the argument is made that having clear and unambiguous objectives is important for internal control systems. During the interviews, the organisations were divided regarding their pursued objectives and how they perceived those objectives. Four organisations had a preference for which objective they pursued, whilst five organisations showed that they believed all the pursued objectives were equally important:

‘Yes, the most important thing was and still is the objective of reporting, it is an important indicator. It has to be reliable and fast’.

[CFO; Organisation 4]

‘The main objective of the Department of Internal Control within the organisation is to assess whether we comply with all the regulation and legislation’.

[Employee Internal Control; Organisation 8]

‘All those objectives are equally important, they are all part of our guidelines. They are all equally relevant’.

[Project Controller; Organisation 7]

Another important aspect of the objectives seen during the interviews was that only six organisations had clear objectives that they wanted to achieve through the internal control system. Three organisations found it challenging to describe the objectives they wanted to achieve. This could be concluded due to the changing ideology about the objectives during the interview. Only one organisation stated that detecting fraud was one of their objectives.

4.2 Control Environment

4.2.1 Autonomy and Independence of Employees

(20)

20 ‘We work in a dedicated structure. We have a division next to the operational manager. My team is the controller of the operational manager and all of his budgets. My hierarchical supervisor is not the operational manager, but another financial supervisor who is equal to the operational manager’s supervisor’.

[Manager Finance and Control; Organisation 3]

Organisation 7 used a specific guideline, which actively motivated employees to speak-up when they saw unethical behaviour.

‘Well, he can refuse that. There is also a speak-up guideline for this because when it comes to a manager, it is difficult to say no. The intention, of course, is that they can do so, but if they don’t, then there are extra checks’.

Furthermore, all interviewed companies stated that they had a code of conduct which outlined acceptable behaviour. All interviewed companies additionally had either a tip line or a confidential adviser to whom they could go if they saw unethical behaviour. In terms of the code of conduct, not all organisations were sure of how much it was read by the employees. Organisation 4 forced employees to read the code of conduct by having them sign off on it.

‘When we hire people, they get a handbook, a sort of code of conduct. It states how someone is supposed to work. When people are hired, they are given access to it. They also have to sign the handbook‘.

The autonomy of employees, code of conduct and confidential adviser all contribute to the business culture, the ethical consciousness, of the organisation. Creating an ethical culture within the organisation is important, as it can interfere with the rationalisation aspect of the fraud triangle. However, these aspects on their own do not necessarily create an ethical culture within an organisation. This ethical culture should be actively promoted by managers in order to maintain this.

‘We also have a compliance academy so that additional questions can be asked. In addition, we have colleagues from the compliance department whom you can ask questions if you do not understand something. As far as I know, everyone has passed, which is a requirement for our certificate. We have a special certification for ethics’.

(21)

21 minimalising that, partially for the quality of healthcare, that you can be critical and that you have to ask those critical questions’.

[Manager Audit; Organisation 6]

However, three interviewed organisations did not mention the use of extra measures to actively promote the ethical culture within the organisation. These organisations were all relatively small, with the largest organisation having around 3,000 employees. The larger organisations all stated that they had specific employees whose job it was to increase the ethical consciousness within the organisation. However, not a single sized organisations stated that they had this employee. One medium-sized organisation, Organisation 2, stated that the executive team enforced ethical consciousness through their decisions and through the impact they had on the culture in the organisation.

‘That is the experience that you get over the years. For example, I can be very difficult about two euros. That has to do with making it clear that some things are just a no-go area‘.

4.2.2 Background Check

Doing a background check is part of COSO’s control environment. In the theoretical framework, the argument is made that hiring people with prominent personal ethical norms can benefit the control environment. Six interviewed organisations stated that new employees needed to have a Certificate of Conduct (CoC). Five organisations stated that the employee had to have a CoC before they started working. One organisation stated that the CoC should be available after the first employment contract period was over. These organisations stated that if an employee did not have a CoC, there was no room for that employee within the organisation and the employment contract would be thus terminated. However, Organisation 5 chose to use assessments instead of CoCs to determine an applicant’s ethical norms, and Organisation 7 used reference checks. Organisation 6 stated that all medical staff had to have a CoC and the majority of the non-medical staff, but not all. Organisation 3 went further than solely using the CoC. They did a thorough background check on all new employees that started working at the organisation. These background checks were occasionally as thorough as visiting a new employee’s house to look for uncommon things.

‘Yes, a CoC is required and an additional background check is done. How difficult that background check is depends on what position someone is going to get. There are a number of levels, usually it’s a kind of desk research, and people have to complete a questionnaire. However, the more demanding the job, the more demanding the check; so it could be that people come to your house to see how you live and what kind of car you drive’.

(22)

22

4.2.3 Competency in Job

The competency of an individual to properly do their job is important. When someone does not exercise their job properly, this can lead to gaps in the internal control system or failure for the controls that are done. All the interviewed companies stated that they believed competence was an important aspect. All companies stated that they looked at the competence of an applicant during the hiring process, and six companies stated that they had some form of continuous learning available, either through in-house training or through training budgets.

‘Yes, that is organisation-wide. It is possible for everyone to continue studying in order to keep knowledge up to date. This is possible for everyone, regardless of which department you are in’.

4.2.4 Responsibility and Accountability of Employees

Responsibility and accountability are important aspects, as failing to either hold employees accountable or give them responsibility can lead to gaps in the internal control system. All interviewed organisations stated that they held employees accountable when they purposefully did something wrong. Eight interviewed organisations stated that they would additionally undertake action if employees made mistakes, be that either in terms of help or disciplinary measures.

‘Well, keeping people responsible. People just have a certain responsibility. We don't judge people like they do in business, unless people really cross a line’.

[Business Controller; Organisation 3]

‘So I'm going to try to help, and I'll make sure it doesn't happen again’. [CFO; Organisation 2]

Another interesting perspective was offered by the internal control employee of Organisation 8, who argued that an excessive number of procedures would result in individuals failing to feel responsible for the jobs they did.

‘More procedures also leads to more errors, because at some point people stop thinking’. [Employee Internal Control; Organisation 8]

4.3 Risk Assessment

4.3.1 Fraud Risk

(23)

23 attention in prior years, and one organisation stated that the internal control system was not at the necessary level.

‘I think that internal control has been a subordinate area in the past’. [Concern Controller; Organisation 9]

In general, organisations differed in the way that they perceived fraud. Seven organisations stated that fraud was important and that they frequently thought about the risk. Two organisations stated that fraud was not necessarily considered. Organisation 8, operating in healthcare, stated that they did not believe that fraud happened within the organisation. They argued that the places where fraud could happen had strong internal controls and fraud, therefore, could not take place. Organisation 9 stated that their internal control system was more focused on preventing mistakes than on preventing fraud. The reasoning behind this was that the employee had not seen fraud within the healthcare sector.

‘Definitely; definitely. I don't want to say that we are working on it every day, but as a trading company, I always say that there are two main weaknesses in our organisation – that's inventory and cash’.

‘No, fraud is not really a thing here. We do have a department where we can report fraud, but we don't really see a high risk of fraud here either. There has to be an opportunity, a certain amount of pressure and it might occur, but not to my knowledge‘.

‘So, the risks here are not that someone walks away with a hospital bed’. [Concern Controller; Organisation 9]

However, Organisation 9 later stated that they looked at several aspects of fraud. At the beginning of the Covid-19 epidemic, face masks went from being readily available to being a scarce item. On the topic of face masks, Organisation 9 stated that they used measures for these types of inventory.

‘Yes, that’s not very strictly checked. However, we only deliver to a limited extent. We have a central warehouse and from there, we deliver to departments. These things are a scarce resource, so it is carefully monitored whether there are deviations in consumption‘.

[Concern Controller; Organisation 9]

(24)

24 ‘The control system is mainly at the front. If everything goes according to the instructions, then all checks have already been done before the expenditure has been done, for all expenditures above € 1,250‘.

There were two main reasons for this, the first being that they worked with taxpayer money. This was thoroughly discussed, and the employees at Organisation 3 stated that they had to be careful with public funds. Another reason was the possibility of media backlash if fraud were to occur.

‘On the other hand, we do run the risk of getting negative media attention. That is something we consider a lot’.

[Manager Finance and Control; Organisation 3]

In summary, it could be concluded that the public organisation primarily focused on preventive internal controls whilst the other eight organisations focused on both preventive and detective internal controls.

4.3.2 Fraud Risk and Economic Cost

In terms of the economic cost of the fraud risk, Organisation 3 stated that for all purchases above €1,250, the controlling process happened before the purchasing order was sent. All purchases below that amount were checked after purchase on a sampled basis. This was due to the economic cost as doing the full procedure for each amount was not worth it. Other organisations followed the same rhetoric.

‘If you have to do the full process for all small amounts, then that process is so much more expensive than what you would save. You just have to make that choice, what does it cost if the audit is not done, what financial risk is there’.

‘When you talk about fraud, it doesn't matter for how much it is. But when you set up a procedure, you make sure that the procedure is good. But controlling the procedure, how much energy do you put in that? Then it may well be that you think that it takes so much time, then the benefits do not outweigh the costs’.

[Controller/Manager Operations; Organisation 5]

‘That is important; people know that I am not someone who will check to the last penny. That’s why I make sure that there are enough conflicting interests and enough conflicting characters to ensure that no fraudulent practices are taking place’.

(25)

25 ‘In the financial area, the most important processes, which contain the most important risks, are audited by us’.

This was the general consensus among the organisations interviewed. They tended to look for a sweet spot as to where the internal controls were still economically viable. However, only Organisation 3 named a specific denomination. It was not necessarily wrong to be exposed to fraud risk. However, when an organisation exposed itself to the risk of fraud due to the economic cost, they had to have thought about this thoroughly. Eight organisations, however, could not name a specific denomination or set of rules for when the standard process was no longer economically feasible.

4.3.3 Examples of Fraud

Three organisations stated that fraud had occurred at the organisation before. Organisation 6 stated that the external auditor was asked for advice, and they reviewed the process with the help of the external auditor. Organisation 4 stated that money was stolen from the cash register and that inventory had been stolen. The interviewee acknowledged, at the beginning of the interview, that they were aware that these two aspects received extra attention during controls. Furthermore, the employees were dismissed. Organisation 2 stated that an employee attempted to pay a fine for a traffic violation via the organisation’s bank account. The fraud was discovered after the payment was done, thanks to the controls they had in place. The employee who attempted to defraud the organisation was dismissed.

4.3.4 Changes in the Internal Control System

It was vital for an organisation to recognise and analyse changes in the internal control system continuously, as failure to do this could result in gaps. Five organisations stated that they periodically, thus not continuously, looked for changes within the organisation that affected internal control systems.

‘That questionnaire is updated annually by internal audit. They analyse whether new checks have to be done and if so, those will be included in the next release‘.

[Manager Control; Organisation 1]

(26)

26 ‘We have a risk analysis that we do before any major changes in procedures or new equipment that we purchase. That is a kind of checklist, which you have to complete in case of changes or new processes’.

‘Well, we have a process portal for which we have fixed update moments. That is at least once every two years. Then everything is completely revised and sometimes updated’.

Organisations 2, 4, 5 and 9 monitored the effectiveness of the internal control systems whilst they performed the controls, during the monthly reporting, for instance. These organisations were all smaller than the other organisations. The other organisations, which were larger, stated that they had internal controls or internal audit departments that periodically monitored the effectiveness of the controls.

Another interesting aspect was when these changes were done, four organisations did not monitor these changes more closely. The changed procedure would be monitored in the same way that other procedures were, although these changes had not yet been tested in practice. Five organisations stated that they monitored these changes more.

‘Yes, once it has been adjusted it will be included in the procedure like normal’. [CFO; Organisation 4]

‘Yes, I think that's normal. If you change something, you always check whether it works’. [CFO; Organisation 2]

4.4 Control Activities

In terms of the control activities used, all interviewed organisations stated that they used multiple control activities. These control activities frequently differed among organisations, but the interviewees clearly demonstrated that they put much thought into the control activities. An important aspect of this was that eight organisations stated that the control activities were enforced via their information technology systems. For instance, the segregation of duties was built into the financial system used.

‘Yes, in that respect we work with a system in which segregation of duties are set up’. [Concern Controller; Organisation 9]

(27)

27 ‘Currently, access controls on systems are performed by the Information Security Officer. The assessment of correctness of authorisations is carried out by both the accountant and the department internal audit’.

4.5 Information and Communication

4.5.1 Communication Across the Organisation

It was imperative for information to be communicated across the organisation. When this was not done, it could lead to misunderstandings between managers and controllers as to who did what. All interviewed organisations stated that they communicated about the internal controls to other departments when they feel it was necessary to do so.

‘Yes, it will be communicated if that is relevant to the rest of the organisation. Then the department head walks over to that department to explain what has changed’.

‘Yes, if it is relevant for employees, then it will be communicated via intranet or via newsletters. It depends on which information is relevant to who’.

4.5.2 Open Communication

Open communication was additionally seen as important by all of the organisations, whereas several have an open-door policy and others went moderately further. This was important as fraud would require concealment, and this could be countered by having an open form of communication within the organisation.

‘What we preach as a management team is complete transparency. We explain why we do certain checks’.

‘In general, it can be stated that we have open communication within our organisation. The board of directors is easily accessible, and the chairman of the board of directors periodically holds a coffee moment with employees. In regards to the audits performed by Internal Control, a retrospective survey is always conducted on the progress of the audit. This also includes communication from Internal Control’.

(28)

28

4.6. Monitoring Activities

Monitoring for gaps in the internal control system was an important aspect and, according to the chairman of COSO, it was frequently overlooked. Five organisations, which were all larger organisations, stated that the internal controls were periodically monitored on a sample basis, frequently by their own internal control or internal audit departments.

‘If there is a specific motivation such as fraud, for example, you can be sure that they will come by to review the process. But normally they will just check a part of that questionnaire once every two years to see if it is correct, what your substantiation is, why you say it is good, things like that’.

[Manager Control; Organisation 1]

However, smaller organisations stated that monitoring was part of their internal control system. They stated that this was done each month, or day, whilst they did their controls.

‘Every day, that's part of the process. This has to do with the reporting cycle. It is inherent to our company; we think about the controls every day, and we make a monthly report. Because we do these reports, there are many controls, and we work with them on a daily basis’.

4.7 Covid-19

The questionnaire had a question about the impact that Covid-19 had on the internal control system. Three organisations stated that Covid-19 had no significant impact on the internal control system. Four organisations stated that it had a minor impact, and two organisations stated that they were not sure what the impact would be.

‘Yes, of course it has just started so we will have to see. Of course, it has an impact, but I don't know exactly what that will be’.

‘Well, in terms of internal control nothing. Most people work from home, but it doesn't really matter because you have a lot of controls such as verification when you log in. People can’t just make payments. There is a workflow for that. So essentially, not much has changed‘.

(29)

29

5. Conclusion and Discussion

Within this chapter, the following research question is answered: How does the financial function assess fraud and implement preventive internal controls?

In terms of assessing fraud risk, Vona (2008) has argued that it is important to consider the risk of fraud. An organisation should not only assess the risk of achievement of the objectives but the risk of fraud as well. When an organisation does not consider fraud to be a risk to the organisation, this can lead to gaps in the internal control system and a subsequent opportunity to commit fraud. The interviews showed that seven organisations considered fraud risk to be important. However, two organisations stated that fraud risk was not something they necessarily considered. Both organisations stated that they believed that fraud did not occur within the organisation. One of these organisations stated that their internal control system was sufficiently robust to prevent and detect fraud. The other organisation stated that they did not think that fraud happened within the organisation. As these organisations did not consider fraud to be a risk, they most likely did not think about internal controls to prevent or detect fraud. As Vona (2008) has argued, this can leave gaps in the internal control system for these organisations. These gaps enable a component of the fraud triangle, namely opportunity.

Furthermore, Vona (2008) has additionally argued that organisations should do more than only consider fraud to be a risk. Organisations have different risk appetites and, based upon the risk appetite, an organisation can feel comfortable with being exposed to a small risk of fraud. However, it is imperative for organisations to have thought about this thoroughly and have made an informed decision. Only one organisation had thought about this thoroughly, setting up different levels of controls based upon the monetary risk that the organisation had. The other eight organisations could not name a specific denomination or set of rules as to when they deemed the risk to be low, thus allowing controls to be reduced. However, these organisations mentioned that they reduced controls when the process was deemed as less monetarily risky. This can lead to confusion as to when the controls over a process can be softened. In turn, this confusion can be used to manipulate the process and therefore facilitate the opportunity component of the fraud triangle.

(30)

30 and detective techniques. Organisation 3 primarily focused on preventive controls as they dealt with taxpayer money. Furthermore, they considered negative media attention to be a risk.

Additionally, Cascarino (2013) has argued that the objective of the control measure is imperative in order to ensure its effectiveness. This was demonstrated by using the example of the locked door – a lock on the door seems to be an ideal control measure, but when the door functions as an emergency exit, it is not an effective control measure. Therefore, the objective that the control measure has to attain is crucial to understanding what the control measure should be and how its effectiveness should be monitored. The interviews showed that three organisations had difficulty describing the objectives they wished to achieve. This resulted in difficulties to both monitor and ensure the effectiveness of the internal control system, as argued by Cascarino (2013). This can leave gaps in the internal control system and thus enable the opportunity component of the fraud triangle. Additionally, Moeller (2013) has argued that conducting a criminal background check is an important aspect for enabling an ethical control environment. However, only six organisations stated that all employees were required to have a CoC. This could affect the control environment in a negative way. This is due to two aspects. Firstly, requiring employees to have a CoC increases the chances of ensuring a new employee is ethical, thus increasing the ethical consciousness of the organisation. Secondly, when someone has shown unethical behaviour in the past, and therefore cannot get a CoC, it can imply that this person has a different code of ethics. When someone has a different code of ethics, they may be more likely to rationalise their fraudulent behaviour.

(31)

31 untested control measures might have several practical problems, which may be noticed if they are monitored more closely. However, leaving these untested control measures without additional monitoring can lead to a breach in the internal control system and, thus, it strengthens the opportunity component of the fraud triangle. All things considered, it could be concluded that the interviewees underestimated the added value of continuous monitoring.

To reflect back on the research question, it can be concluded that a majority of personnel in financial functions see fraud as a risk to the organisation. However, they do not consider the risk appetite they have in regard to the fraud risk. Although all organisations stated that they used some form of economic cost in regard to fraud risk, eight of those organisations failed to provide a specific denomination or set of rules as to when the controls should be reduced. When an organisation is not clear about which procedure to use, the perpetrator can pick a less thorough procedure when committing fraud. In turn, this allows the perpetrator to manipulate the control system to his or her advantage. This manipulation encourages the opportunity aspect of the fraud triangle. Furthermore, the interviews found that a majority of organisations put much thought and effort into their internal control systems. Eight organisations focused on preventive and detective control measures, whereas one organisation clearly focused on fraud prevention. Fraud prevention has been argued by Wells (2004) to be superior, as a majority of defrauded funds are not recovered. Thus, the added value of internal controls may be improved when organisations focus more on prevention than on detection. These preventive controls should be designed in accordance with the fraud triangle in order to interfere with the aspects that allow an individual to commit fraud. Additionally, there was a lack of monitoring of effectiveness for internal control systems. This can lead to ineffectiveness of controls as they tend to deteriorate over time. When these controls deteriorate, they no longer interfere with the opportunity aspect of the fraud triangle.

5.1 Contributions

The main contribution of this study is giving insight into how the financial function assesses fraud and how these functions use preventive internal controls to combat fraud. By gaining insight into this, academia can improve its understanding of the practical implications of internal controls and thus develop new theories that fit with these practical implications. Academia has mostly focused on how internal controls should be implemented, how they function and how they deter fraud. However, academia has not given much attention to the practical implications of internal controls and how the financial function assesses controls.

(32)

32 accordance with the COSO framework. In turn, this should lead to the internal control system having fewer gaps and thus preventing fraud. As mentioned earlier, improvement is possible for the monitoring of internal controls. Financial functions can use this research in order to improve understanding of the value and role of monitoring in preventing fraud.

5.2 Limitations

A limitation of this research was that there was no second researcher. This may have led to a biased interpretation of the interviews by the author and thus to untrustworthy results. This is a limitation of a master thesis. Another limitation was that interviews were held over the phone or via video chat. This was done to comply with company and government regulations regarding Covid-19. The fact that the interviews were not done face-to-face meant that the interviewer could not observe non-verbal communication. This could have resulted in misunderstandings or misinterpretations of the given answers.

5.3 Future Research

(33)

33

References

ACFE. (2018). Report to the nations: 2018 global study on occupational fraud and abuse. Austin: ACFE.

Apostolou, B., Hassell, J., Webber, S., & Sumners, G. (2001). The relative importance of management fraud risk factors. Behavioral Research in Accounting, 13(1), 1-24.

Button, M., & Gee, J. (2013). Countering Fraud for Competitive Advantage : The Professional Approach to Reducing the Last Great Hidden Cost. Hoboken: Wiley.

Byington, J., & Christensen, J. (2005). Sox 404: How Do You Control Your Internal Control? The Journal of Corporate Accounting & Finance 16(4), 35-40.

Cascarino, R. (2013). Corporate Fraud and Internal Control : A Framework for Prevention. Hoboken, N.J: ohn Wiley & Sons.

COSO, C. o. (2006, October 17). COSO Issues Request for Proposals: Project to Focus on Monitoring of Internal Control [Press release]. Retrieved from www.coso.org:

https://www.coso.org/Publications/Monitoring%20RFPRelease.pdf COSO, C. o. (2013). Internal Control - Integrated Framework. COSO.

COSO, C. o. (2013). Internal Control - Integrated Framework: Executive Summary. COSO. Cressey, D. (1971). Other people's money: A study in the social psychology of embezzlement.

Belmont, Calif: Wadsworth Pun.

D.A., G., K.G., C., & A.L., H. (2013). Seeking Qualitative Rigor in Inductive Research: Notes on the Gioia Methodology. Organizational Research Methods 16(1), 15-31.

Dellaportas, S. (2013). Conversations with Inmate Accountants: Motivation, Opportunity and the Fraud Triangle. Accounting Forum 37(1), 29-39.

Dickins, D., & Fay, R. (2017). Coso 2013: Aligning internal controls and principles. Issues in Accounting Education 32(3), 117-128.

Dorris, B. (2018). Report to the nations: 2018 global study on occupational fraud and abuse. ACFE. Doxey, C. (2019). Internal Controls Toolkit. Hoboken, New Jersey. : Wiley.

Eisenhardt, K. (1989). Building theories from case study research. Academy of Management Review 14(4), 532-550.

Eriksson, P., & Kovalainen, A. (2008). Qualitative Methods in Business Research. Los Angeles, Calif.: SAGE.

Fellner, B., & Mitchel, L. (1995). Communication: An Essential Element in Internal Control. Journal of the Healthcare Financial Management Association 49(9), 80-82.

Fourie, H., & Ackermann, C. (2013). The impact of COSO control components on internal control effectiveness: An internal audit perspective. Journal of Economic and Financial Sciences 6(2), 495-518.

(34)

34 Hermanson, D., Smith, J., & Stephens, N. (2012). How Effective are Organizations’ Internal Controls?

Insights into Specific Internal Control Elements. Current Issues in Auditing 6(1), 50.

Hooks, K. L., Kaplan, S. E., Schultz, J. J., & Ponemon, L. A. (1994). Enhancing communication to assist in fraud prevention and detection; Comment: Whistle-blowing as an internal control mechanism: Individual and organizational considerations. Auditing : a journal of practice & theory (13), 68-117.

Huang, S., Lin, C., Chiu, A., & Yen, D. (2017). Fraud detection using fraud triangle risk factors. Information Systems Frontiers : A Journal of Research and Innovation, 19(6), 1343-1356. Hunziker, S. (2017). Efficiency of internal control: Evidence from swiss non-financial companies.

Journal of Management & Governance, 21(2), 399-433.

Jung-Gehling, C., & Strauss, E. (2018). Schmalenbach Business Review 70(4). A Contemporary Concept of Organizational Control: Its Dependence on Shared Values and Impact on Motivation., 341-74.

Kasey, M., Sanders, E., & Scalan, G. (2014). The Potential Impact of Coso Internal Control Integrated Framework Revision on Internal Audit Structured Sox Work Programs. Research in

Accounting Regulation 26(1), 110-117.

Loebbecke, J., Eining, M., & J.J., W. (1989). Auditors' Experience with Material Irregularities: Frequency, Nature, and Detectability. Auditing: A Journal of Practice & Theory, 9(1), 1-28. Lokanan, M. E. (2015). Challenges to the fraud triangle: questions on its usefulness. Accounting

Forum 39(3), 201-224.

Moeller, R. (2013). Executive's Guide to Coso Internal Controls : Understanding and Implementing the New Framework. Hoboken, NJ: John Wiley & Sons.

Naruedomkul, P., Rodwanna, P., & Wonglimpiyarat, J. (2010). Organization frauds in Thailand: A survey on risk factors. International Journal of Criminal Justice Sciences, 5(1), 203–219. Rahman, R., & Anwar, I. (2014). Effectiveness of fraud prevention and detection techniques in

malaysian islamic banks. Procedia - Social and Behavioral Sciences, 145, 97-102.

Riney, F. (2018). “Two-Step Fraud Defense System: Prevention and Detection.". Journal of Corporate Accounting & Finance 29(2), 74–86.

Rorie, M. (2020). The Handbook of White-Collar Crime. Hoboken, NJ: Wiley-Blackwell.

Rubino, M., Vitolla, F., & and Garzoni, A. (2017). The Impact of an It Governance Framework on the Internal Control Environment. Records Management Journal 27(1), 19-41.

Sarbanes-Oxley Act of 2002, section 404. (n.d.).

Schuessler, K. (1954). Other people's money: A study in the social psychology of embezzlement. Donald R. ressey. American Journal of Sociology, 59(6), 604-604.

Internal Controls for Fraud Prevention