While there is no sure-fire way to eliminate fraud - and if there were, the cost would be prohibitive - with proper attention by management it can be minimized. This article explores various steps we can all take to sharpen our fraud detection and prevention skills.

Part of the fraud problem is perception. For example, one controller said that "2% shrinkage is normal in our industry; we are pleased that our experience is just under that amount." When asked what caused the shrinkage, she had no idea. She had already decided not to worry about it - even though the loss totaled about $1.5 million a year - because the unstated assumption was that it wasn't possible in her industry to reduce shrinkage below the 2% "normal amount." When it was pointed out that real issue was acceptable theft levels rather than acceptable shrinkage levels, she changed her thinking. After an investigation, she discovered that the inventory was systematically being stolen from warehouses.

Employees and managers who review all transactions are in the best position to notice when something is fishy. Effective managers should issue policy guidelines that, in effect, tell each employee, "You are responsible for being aware of what can go wrong in your area. You are also responsible for detecting wrongdoing when it does occur." Everyone - including auditors - should be on the alert and at least look for those frauds that only he or she is in a position to detect.

To get better at finding fraud, auditors, employees and managers should follow the following four-step approach.

Before getting down to the detailed job of devising controls, do some research on what can go wrong. Employees are very good at finding the signs of problems - once they are told what to look for. Most financial and operating professionals have only a passing knowledge of the specific cons used by white-collar thieves. We hear about schemes involving credit cards, fake vendors, inventory theft, kickbacks, bad loans, earnings manipulation, and other cases, but few managers and employees really know the details of these deceptions.

Managers who have been defrauded often say, "But we had controls in place to prevent this from happening!" Hard as it is to accept, most prevention controls can be beaten by a motivated thief. And when thieves are inside the organization, they may be part of the control effort itself.

Start with finding out how past defrauders have pulled off their crooked acts. What was the thief's role in or relationship with the organization that gave him or her the freedom to commit the act? Ask yourself how management steps like downsizing, outsourcing, computerization and globalization affect the reliability of controls - as wells as the attitudes of those who have access to the assets.

Other places to look for help include industry sources. Many industry organizations maintain data on fraud cases. Since banks, insurers and others all support prevention, they keep useful information on the subject. In addition, seek out the security professionals working in your industry for guidance.

Keep and share files on news reports of fraud. These articles often contain enough detail to allow you to understand how the deed was done. But be careful not to get caught up in the drama of the fraud: Put less emphasis on the thieves and their reasons for stealing, focusing instead on the modus operandi.

Certainly take advantage of any formal training on fraud detection that's available. The American Institute of CPAs, Institute of Internal Auditors, Association of Certified Fraud Examiners and other professional associations frequently sponsor educational programs on this subject.

To begin the research in your own organization, first check with those that might have been involved in handling fraud: security, audit, legal, information systems, human resources and other pertinent departments. Confidentiality of past cases can be maintained because you do not need to know who did what. All you need to know is what happened and how.

Next examine potential fraud exposures by functional area. Start with current job positions in each area. Include external parties. Then brainstorm with colleagues how individuals in each of these positions could defraud the organization - focusing on the opportunities presented by the position, not the identity of the individual who currently occupies the position.

After completing such research, begin to look at the controls that are in place. Make sure the current controls go beyond preventing fraud. Tell employees who to contact when they suspect fraud.

Fraud indicators - the specific observable signs that fraud may be present - may be of the actual fraud or of the cover-up attempt. The easiest indicators to spot involve cash and inventory shortages. But even there, clever thieves find ways to obscure the indicator. For example, it's hard to tell immediately whether missing original documentation may be due to filing errors or because someone destroyed the documents to cover up a theft.

When one of these indicators appears, use caution. Often there are reasonable explanations and they usually don't lead to a thief - just an error or a poorly designed process. So don't jump to conclusions. Instead, track down the cause for the indicator.

The conventional control procedures used to identify errors or irregularities include quality assurance programs, sampling and reperforming the work of subordinates, review of unusual transactions on edit and cost center reports, and detail review and approval of reconciliations. When segregation of duties is impractical, and in areas offering high opportunity - such as cash handling, funds transfer and inventory - pay extra attention, asking detailed questions about the process and the controls.

In developing procedures, be sure to include specific steps calculated to look for fraud indicators. And while measuring fraud exposure, assess the reliability of such controls.

Auditors should include steps in their programs designed to both identify fraud indicators and to bring them to the surface. Testing plans should consider both the fraud exposures and the reliability of internal controls. Building audit programs to look for fraud indicators (as is required by Statement of Auditing Standards 99, Consideration of Fraud in a Financial Statement Audit) includes selecting large samples to look for fraud indicators and the use of computer retrieval and matching techniques.

Auditors must remember that in deciding sample sizes, they are also deciding the probability of having the opportunity to detect fraud and other problems. The probability depends on the amount of fraud, the size of the population, and the number of sample items selected for testing. Stratification of the population, directed sampling and discovery sampling may prove helpful.

Whoever finds an indicator of fraud - the external or internal auditor or an employee of the organization - should resolve the situation before going on. Operate with an attitude of healthy professional skepticism. Beware of pressures to complete work within unreasonable deadlines. Be aware that the single indicator you have discovered may not be an isolated occurrence; it may be one of many.

If you believe the follow-up is beyond your capabilities, consider giving the problem to a professional investigator. There are legal and other dangers inherent in mishandling possible fraud cases.

The bottom line is this: The only way to protect against fraud is to be sure that the organization's managers and employees stay alert to the possibilities and maintain a proactive role.

The construction company's project manager engineered a simple scam that earned him about $250,000 before he was unmasked. Here's how he did it - and how he was tripped up: The project manager opened a bank account using a name very similar to the name of the construction project he was managing. He then approached three major suppliers and requested cash rebates in excess of normal industry practice. In exchange, he guaranteed each would be the sole source for their respective products. In addition, he promised that they would be paid promptly for all materials delivered. He told them that rebates were due on the first of each month for all transactions of the preceding month. The checks were to be made payable to the name on the bogus bank account. The suppliers agreed to the unusual terms in order to secure the business. None questioned the name on the checks because it was close enough to the actual project name. The arrangement worked smoothly for several months. Rebate checks were delivered to the project manager each month, and he deposited them into his account. After the checks cleared, he withdrew most of the funds using cashier's checks. The scheme came to light when a supervisor in the construction company's accounts payable department questioned why the three suppliers weren't offering prompt-payment discounts. She had just attended a fraud awareness seminar and remembered that such an unusual arrangement might be an indicator of fraud. Rather than question either the project manager or the suppliers, she correctly referred the matter to the corporate audit department for investigation. The auditors made simultaneous unannounced visits to all three suppliers. Two wouldn't talk, but the third explained the relationship and provided copies of the cancelled rebate checks.