ComplianceJuly 09, 2025

Strengthening internal controls to prevent fraud

Fraud remains one of the most pervasive and expensive risks facing organizations of all sizes and sectors. Whether it manifests as financial statement manipulation, procurement schemes, cyberattacks, or asset misappropriation, fraud can weaken an organization, undermine stakeholder trust, and result in substantial financial losses. According to the Association of Certified Fraud Examiners (ACFE), organizations worldwide lose an estimated 5% of their annual revenues to fraud, translating into trillions of dollars in losses each year.

In the fight against fraud risks organizations have two options: prevention and detection. In practice, organizations will employ both types of controls; however, prevention controls are more valuable, as detection means the damage has already been done. This article explores the safeguards organizations should incorporate into their processes to help deter fraudulent activities. It covers both the overall control environment and specific controls that can be implemented to potentially prevent internal and external fraud.

The internal control environment

Building a resilient internal control environment requires a proactive approach that encompasses understanding emerging threats, adopting best practices, effectively utilizing technology, and cultivating a culture of integrity. Internal controls should be intentionally designed to address potential fraud schemes that are seamlessly integrated into day-to-day operations. The control environment must evolve over time in response to changes in processes and technology. For instance, traditional controls like manual reconciliations or paper-based approvals may no longer suffice to counter cyber threats or digital transactions.

A dynamic control environment involves continuous monitoring, periodic risk assessments, and prompt adjustments based on emerging risks. It also requires leadership commitment to fostering an organizational culture that values transparency, accountability, and ethical behavior, as well as a commitment to continuous training and ongoing communication. When controls are viewed as an integral part of operations rather than static checklists, organizations are better positioned to prevent fraud, identify anomalies early, and respond effectively.

The control environment establishes the tone at the top and impacts the integrity and ethical standards throughout the organization. Leadership must foster a culture that prioritizes compliance, ethical conduct, and open communication. Clear policies, training, and accountability measures strengthen this environment, clarifying expectations for behavior and establishing a clear tone through visible management support, consistent enforcement of policies, and a zero-tolerance approach to misconduct.

Fraud prevention controls

To effectively prevent fraud, organizations must first gain a deeper understanding of the conditions and motivations that drive individuals to commit fraudulent acts. For more than seventy years, the fraud triangle, originally developed by criminologist Donald Cressey, has served as the foundational model for analyzing why fraud occurs within organizations. This traditional framework highlights three critical factors that must converge for fraud to take place.

  • The first factor is opportunity, which refers to an individual’s ability to commit fraud without being detected, often due to weak or poorly enforced internal controls.
  • The second factor is pressure, which can stem from various sources, such as financial problems, debt, unrealistic work expectations, or personal obligations that create an incentive to engage in dishonest behavior.
  • The third factor is rationalization, which involves the fraudster’s ability to mentally justify their unethical actions, convincing themselves that what they are doing is acceptable, that they will pay it all back, or that they somehow deserve what they take.

By recognizing and addressing each element of the fraud triangle, organizations can implement targeted controls and foster a culture of integrity that collectively reduces the likelihood of fraudulent behavior.

Fraud-Triangle


Most fraud prevention controls are based on the concept that disrupting one or more contributing factors can reduce the risk of fraud. For example, limiting opportunities through strong internal controls and easing pressure by offering fair compensation and employee support programs can significantly lower the likelihood of fraudulent behavior.

Common fraud prevention controls encompass, but are not limited to (refer to the Appendix for additional examples):

  • Separation of duties (SoD): A mechanism designed to prevent fraud and errors by ensuring that no single individual has control over all aspects of any critical business process. This principle distributes responsibilities across multiple people or roles so that tasks such as authorizing, recording, custody, and reconciliation are assigned to different individuals or teams.
  • Mandatory job rotations and vacations: These practices help uncover irregularities by exposing ongoing schemes and increasing the chance of detection.
  • Access reviews: Regularly review user access and permissions to ensure they align with their current job responsibilities.
  • Continuous oversight: Helps detect anomalies, control failures, or emerging risks before they escalate. Activities such as periodic internal audits and unannounced spot checks play a key role in identifying these issues early.
  • Vendor management program: Implementing structured oversight, clear accountability, and risk mitigation measures throughout the vendor lifecycle is essential. A robust program should incorporate controls such as thorough due diligence, well-defined contractual controls, and regular performance evaluations.

View a demo

Case study: Retailer implements internal controls for fraud prevention

To illustrate the importance of implementing fraud prevention controls, let’s consider a simple real-world example. One of the areas where fraud occurs frequently is in expense reimbursement. In this example, a large retail company in the US had a policy of automatically approving expense reports submitted by its top executives. These reports frequently exceeded $5,000 per month and, during international travel, sometimes reached as high as $20,000 – without undergoing any formal review or verification. 

Each year, the company conducted annual internal audits to identify inappropriate expenses, which were frequently uncovered due to weak internal controls. Although executives were asked to repay the questionable amounts, no further action was taken. Eventually, one executive was discovered to have submitted fraudulent reimbursement claims. In response, the company replaced its reactive audit approach with proactive internal controls designed to prevent fraud from occurring in the first place.

The preventive controls implemented included:

  • Requiring preauthorization for expenses exceeding a specified threshold.
  • Setting dollar limits for different expense categories.
  • Mandating original itemized receipts, invoices, and proof of payment for all claims.
  • Prohibiting any executive, including the CEO, from approving their own expenses.
  • Periodically rotating approvers to reduce the risk of collusion.
  • Providing quarterly reports of executive expenses to the audit committee.

By implementing these new internal controls, the company successfully eliminated the opportunity for fraud to occur by proactively addressing vulnerabilities before they could be exploited.

Modern prevention measures for external fraud

Advances in technology have changed how we understand and approach fraud and we must think beyond the traditional fraud triangle. Although it remains relevant, it no longer captures the full picture. Today, we must consider external influences such as societal pressures, global cultural and ethical differences, and the technical capabilities to execute a fraud scheme. These additional factors are especially critical when evaluating external fraud risks. The fraud triangle was originally developed with the assumption that fraud is typically committed by trusted insiders with access to an organization’s resources.

Today, the risk of fraud from external parties is constantly increasing. Some may commit fraud simply to test system vulnerabilities, while others, such as state-sponsored groups, may target organizations with the intent to extort, often aiming to exploit cybersecurity insurance coverage. 

The rapid pace of technological advancement necessitates the implementation of additional fraud prevention controls, such as:

  • Cybersecurity enhancements: Measures such as multi-factor authentication (MFA), encryption, intrusion detection systems, and regular vulnerability assessments to safeguard systems and data.
  • Data analytics: Proactive monitoring and analysis to detect anomalies in payment patterns, vendor behavior, or system activity logs.
  • Zero trust security: A model that enforces strict identity verification and access authorization for every request, regardless of whether the user is inside or outside the network perimeter.

Even with additional controls in place, organizations are now facing threats from fraudsters using artificial intelligence (AI) to execute fraud schemes that would have otherwise been beyond their ability. AI is being used to create fake documents, profiles, voices, images, and videos to deceive employees into providing sensitive information. As cyber fraud threats continue to evolve, organizations must implement new and adaptive controls to effectively prevent emerging risks.

Internal audit’s role in fraud prevention

Internal audit plays an important role in an organization’s fraud prevention efforts by serving both as a deterrent to potential fraudulent behavior and as an independent evaluator of the effectiveness of management controls. While the primary responsibility for preventing and detecting fraud rests with management, internal audit provides independent assurance that the controls and processes in place are robust enough to mitigate fraud risks. Through systematic evaluation of internal controls, auditors help ensure that key policies such as segregation of duties, access restrictions, and approval hierarchies are appropriately designed and operating effectively. This proactive assessment not only reinforces the overall control environment but also plays a critical role in minimizing opportunities for fraud to occur.

A key element of internal audit’s contribution to fraud prevention is its ability to identify areas most vulnerable to fraud through comprehensive risk assessments and testing. Auditors analyze processes, financial transactions, and organizational structures to pinpoint where fraud risks are highest and determine whether existing controls adequately address those risks. This focus allows the organization to prioritize resources and remediate control weaknesses before they can be exploited. Additionally, internal auditors often deploy data analytics and continuous monitoring techniques to detect red flags such as unusual transactions, duplicate payments, or patterns that deviate from normal business operations. Early detection through audit activities enables organizations to respond promptly to suspicious behavior and limit potential damage.

Beyond the technical aspects of evaluating and monitoring controls, internal audit plays a vital role in shaping an organization’s culture of integrity and accountability. By fostering ethical behavior, verifying that policies are clearly communicated, and ensuring the effectiveness of whistleblower mechanisms, auditors help reinforce the organization’s commitment to a zero-tolerance stance on fraud. This cultural reinforcement not only deters unethical behavior but also empowers employees to report any irregularities they encounter.

Finally, internal audit acts as a trusted advisor to both management and the board of directors by delivering independent assessments of the strength of anti-fraud controls and the overall effectiveness of the organization’s fraud risk management framework. By sharing insights on emerging fraud trends and lessons learned from past incidents, auditors help ensure that anti-fraud strategies evolve alongside the organization’s operations and the broader threat landscape. In essence, internal audit’s role not only bolsters an organization’s defenses against fraud but also reinforces stakeholder confidence in its governance and ethical standards.

Internal controls and fraud

The relationship between fraud and internal controls is well-recognized and firmly established. The ACFE reports that half of all frauds occurred due to the lack of internal controls. They also found that “82% of victim organizations MODIFIED their anti-fraud controls following the fraud,” demonstrating a clear pattern: companies often underestimate the importance of robust internal controls until they suffer a financial or reputational loss. Strengthening the internal control environment helps prevent fraud by establishing clear procedures, segregating duties, requiring multiple levels of authorization, and promoting accountability at every level of the organization.

Proactively designing, implementing, and regularly testing internal controls to prevent fraud not only acts as a deterrent to potential fraudsters but also fosters a culture of integrity and ethical conduct throughout the organization. Building a control environment that focuses on prevention more than detection reinforces the notion that internal controls are not just compliance requirements but strategic safeguards that protect an organization’s assets, reputation, and long-term viability.

Appendix – Example fraud prevention controls:

  1. Code of conduct and ethics policy — Clear rules for acceptable behavior.
  2. Strong tone at the top — Executives model integrity and communicate zero tolerance for fraud.
  3. Fraud awareness training — Regular training for employees and managers on how to spot and report fraud.
  4. Whistleblower hotline — Anonymous channels for employees, vendors, or customers to report suspicions.
  5. Conflict of interest disclosure — Employees must disclose relationships that could pose fraud risks.
  6. Separate authorization, custody, and record-keeping — For example, different people approve invoices, make payments, and reconcile bank accounts.
  7. Dual authorization for payments — Require two signatures or approvals for payments above a threshold.
  8. Rotation of duties — Periodically rotate staff in key positions to prevent long-term concealment.
  9. Mandatory vacation policy — Employees must take leave; continuous presence may hide fraud.
  10. User access reviews — Periodic review and removal of unnecessary system access.
  11. Role-based access control (RBAC) — Grant the minimum system permissions needed for each job.
  12. Multi-factor authentication (MFA) — Adds a layer of security for system logins.
  13. Audit logs — Record and monitor user activities for unusual actions.
  14. Change management – All changes must be authorized, reviewed, and approved before moving into a lie environment.
  15. Restricted physical access — Limit entry to cash rooms, server rooms, or records storage.
  16. Reconciliations — Regular, independent reconciliation of bank accounts, inventory, and vendor statements.
  17. Approval hierarchies — Pre-defined approval limits for expenses, procurement, and contracts.
  18. Vendor due diligence — Vet new vendors and periodically re-validate existing ones.
  19. Duplicate payment checks — Use software to detect duplicate invoices or payments.
  20. Exception reports and alerts — Automated reports for unusual transactions (e.g., after-hours transactions).
  21. Physical inventory counts — Surprise or scheduled counts of assets and inventory.
  22. Cash handling procedures — Secure cash registers, drop safes, and segregation between cashiers and reconcilers.
  23. Email security awareness — Train employees to detect phishing or social engineering.
  24. Firewalls and intrusion detection systems (IDS) — Protect networks from unauthorized access.
  25. Encryption of sensitive data — Protect data in transit and at rest.
  26. Supplier/vendor fraud checks — Screen for fake suppliers, inflated invoices, or collusion.
  27. Customer verification procedures — Prevent identity fraud in customer onboarding.
  28. Data analytics for fraud indicators — Continuous monitoring for patterns like round-dollar transactions, split purchases, or unauthorized changes.
  29. Internal audit program — Independent testing of controls and surprise audits.
  30. Fraud risk assessment — Regularly update fraud risk profiles and adapt controls accordingly.
  31. Third-party audits — Engage external auditors for an additional layer of assurance.

Subscribe below to receive monthly Expert Insights in your inbox

For auditors who are challenged to improve audit productivity while delivering strategic insights, TeamMate provides expert solutions, delivered with premium professional services, to auditors around the globe and in every industry.
Back To Top