How to Use Internal Controls to Prevent Fraud, Waste and Abuse While Improving Auditability

There has been a lot of focus on internal controls recently in relation to the Department of Defense (DoD) audit, but it helps to understand those controls more clearly. Internal controls are processes designed to prevent or detect errors and mistakes, including those caused by fraud, waste and abuse.

Internal controls typically surround processes where information is created, recorded or transferred, and where transactions are authorized or executed, such as when money is authorized for expenditure. Internal controls help keep transactions running smoothly and in an ethical and legally compliant fashion. They ultimately serve to strengthen the reliability and accuracy of financial reporting for internal leadership, regulatory agencies, stakeholders and external auditors.

Internal controls should be clearly documented in policy and guidance, routinely re-evaluated, and tested to ensure they are working appropriately and consistently executed by business process owners or end users. An internal control might be a policy requiring a second signature on purchases over $500 or a segregation of duty that designates the person that runs payroll to be different from the person authorized to sign the payroll checks. In an organization without proper internal controls, fraud, waste and abuse can run rampant. The Government Accountability Office (GAO) reported that $2.8B was recovered by the Department of Justice in fiscal year (FY) 2018 from civil cases involving fraud. The GAO defines fraud, waste and abuse as the following:[1]

" " Fraud is attempting to obtain something of value through willful misrepresentation.
" " Waste is squandering money or resources, even if not explicitly illegal.
" " Abuse is behaving improperly or unreasonably or misusing one's position of authority.

According to the Association of Certified Fraud Examiners (ACFE), fraud alone costs around $4.7T annually worldwide.[2] In Occupational Fraud 2022: A Report to the Nations, ACFE shared data and information gleaned from studying 2,110 fraud cases across 133 countries that resulted in a collective loss of $3.6B. Below are some key data points from the report:

  • The average loss per fraud case is $1.7M.
  • Organizations lose an average of 5% of revenue to fraud each year.
  • 29% of fraud occurred due to lack of internal controls.
  • 20% of fraud occurred by overriding existing controls.
  • Nearly half of all fraud came from these four departments:
    • Operations: 15%
    • Accounting: 12%
    • Executive/Upper Management: 11%
    • Sales: 11%

Criminologist Dr. Donald Cressey studied financial crimes and developed the “fraud triangle” to better understand what leads people to commit fraud. He posited that three elements must be present: incentive, rationalization and opportunity.[3]

Incentive – Many types of motives, incentives or pressures can lead an employee to commit fraud. Examples include shareholder expectations and performance awards, like commissions or bonuses.

Rationalization – People use a variety of excuses to justify their decisions to commit fraud. Examples of common rationalizations include feeling like one is not paid enough and is therefore owed or thinking that one will make it right in the future.

Opportunity – To commit fraud, a person needs access. They may also need a basic understanding of the process and a certain level of trust. In the fraud triangle, opportunity is the only component that a company exercises complete control over. Examples that provide opportunities for committing fraud include lack of separation of duties and inadequate accounting policies.

If internal control weaknesses exist, they provide opportunities for exploitation by would-be fraudsters. Strong internal controls can help prevent or detect fraud, waste and abuse by removing, or significantly reducing, the opportunity to commit and conceal improper or incorrect actions. Following best practices helps to ensure strong internal controls.   


13 Best Practices to Fight Fraud, Waste and Abuse by Using Internal Controls

  1. Ensure strict oversight and segregation of duties for tasks and roles that result in an impact to the financial statements.
  2. Conduct an annual review of controls, guidance, procedural documentation and process maps surrounding transactions that impact the financial statements.
  3. Ensure strict processes surrounding expenditure authority by designating roles in writing for specific purposes and limited duration. Require that appropriate supporting documentation proving designated authority be provided when conducting transactions.
  4. Conduct an annual review of policies, procedures and training materials that pertain to internal controls.
  5. Test controls frequently to ensure they are working as designed and adjust them based on results.
  6. Educate the workforce about all internal controls that are relevant to their business processes.
  7. Automate controls when and where possible.
  8. Enforce an anti-fraud policy that includes:
    • Strong tone at the top.
    • Mandatory fraud, ethics and anti-corruption training for employees and managers/executives.
    • Utilization of an anonymous reporting hotline.
    • Enforcement of strict consequences for any cases uncovered.
  9. Ensure everyone takes time off throughout the year to take a “break” from their responsibilities.
  10. Cross-collaborate and rotate roles to get more eyes on business processes.
  11. Conduct random internal audit testing and inspections.
  12. Coordinate with external auditors and take appropriate action based on their findings.  
  13. Conduct a fraud risk assessment while reviewing the relationships involved with structured incentives, financial metrics and executive compensation plans.

Using the best practices outlined above, organizations can benefit by reducing the prevalence of fraud, waste and abuse while improving overall auditability of their financial statements. With strong internal controls surrounding financial processes that have been tested and proven reliable, the opportunities for fraud, waste and abuse in an organization can be reduced significantly.

If you are not confident that your organization has strong internal controls, BDO’s Public Sector practice offers an array of services that can help, ranging from financial management, audit readiness and audit remediation to data management, policy analysis and continuous process improvement. We are committed to helping the DoD reduce fraud, waste and abuse while continuing to make progress on their audit goals.

For more information on our service offerings, visit or send us an email with any questions you may have on how your organization might benefit from our insight into internal controls and fraud risk management.


[1] As summarized in FY 2019 by GAO in their overview infographic, “Fraud, Waste, Abuse, and Mismanagement: Know How to Recognize and Report Them,”
[2] As reported by ACFE in their annual report, “Occupational Fraud 2022: A Report to the Nations,”
[3] Cressey, D. R. (1953). Other people’s money: a study in the social psychology of embezzlement. Glencoe, IL: The Free Press.