As the Detroit Riverfront Conservancy is dealing with the fallout of Detroit’s largest alleged embezzlement scandal in decades, it may be high time for all companies to take a closer look at their own internal controls.

According to the Association of Certified Fraud Examiners in their 2024 Report to the Nations, it is estimated that companies lose up to 5% of revenue each year to fraud, with a median loss per case in the United States of $120 thousand. While the typical fraud case lasts about a year before detection, the longer the fraudulent activity goes undetected the larger the potential damages are. According to the Association, if fraud extends out to 5 of more years without detection, the median loss skyrockets to over $850 thousand per case.

In these cases, full recovery of the losses is exceedingly rare, with organizations in the United States only being made whole 16% of the time according to the Association, and by far the most common outcoming is a recovery of nothing.

Although the most newsworthy cases seem to impact larger organizations, it would be risky to believe that smaller, closely held organizations are immune to the risks of fraud. Often smaller organizations lack the resources, whether it be manpower or financial resources, to implement a robust system in internal controls. Additionally, Organizations cannot solely rely on external audits or service providers to detect all instances of fraud, as less than 5% of all fraud cases in the United States examined by the Association of Certified Fraud Examiners in their 2024 Report to the Nations were uncovered by External Audits.

These fraud facts may be alarming, but there is some good news. Following the internal control framework set forth by the Committee of Sponsoring Organizations of the Treadway Commission, or COSO for short, organizations can begin to safeguard themselves from the risk of fraud.

The first of these steps is to establish a control environment, easily defined as the “tone at the top”. Establishing a tone at the top demonstrating commitments to integrity, ethical values, and competency through an organizations attitude and operational style. This tone at the top is set at the highest level of an organization, whether it be the Board of Directors, Senior Management, or Owner Managers, and can be communicated to all employees through Anti-fraud policies and frequent fraud trainings or anti-fraud communications.

The second step is to perform a risk assessment, analyzing for areas where the organization may be most vulnerable to the risk of fraud or operational risks. This analysis should include both internal and external factors and encompass a review of all risks that might stand in the way of achieving the organizations objectives.

The third step is to define control activities, or the internal policies and procedures to be put into place to support the organizations control environment and to respond to the risks identified during the assessment. Commonly, control activities are broken up into two buckets, detective and preventative controls. Detective controls are only designed to uncover errors or fraud after it is occurred, examples of detective controls are reconciliations, management review, and cash or inventory counts. Preventative controls on the other hand are designed to stop errors or fraud before they occur. Examples of preventative controls are segregation of duties, access controls, and dual authorization and approvals. While having both detective and preventive controls are important to support the overall control environment, in safeguarding a company from losses due to fraud, having a robust system of preventative controls are imperative. As previously mentioned, once an organizations cash or assets are “out the door” it is rare for that organization to be made whole. As such, organizations should zero in on relevant preventative control activities and focus resources on supporting those.

Next, organizations should develop an information and communication system that allows for relevant financial and operational information to be captured and communicated in a timeframe and method that allows the organization to effectively operate the business and support the control environment. This can be achieved by investments in technology systems, as well as open lines of communication across operational units, and communication both downwards and upwards across organizational lines. Investments in information and communication systems will not only help mitigate risks of fraud but will also provide organizations with more accurate information needed to make critical operation decisions.

Finally, organizations need to monitor their internal control environment through ongoing monitoring of the internal control systems and periodic re-evaluations of the operational risks and control environment.  Organizational leaders will need to regularly monitor the existing systems in place to ensure they are functioning as intended, as well as to ensure they are not being subverted. Additionally, as an organization may grow, shrink, or change their risk profile, a top-down re-evaluation may be necessary to keep the control environment aligned to respond to an ever-changing risk environment.

While no organization will ever be able to fully mitigate the risk of fraud, by establishing a robust internal control framework, organizations will help reduce their exposure while simultaneously gaining operational efficiencies.