Contact Us

Join Thousands of Auditors, CPAs, Executives, Managers and Their Teams Who Have Achieved Greater Professional Success

Building a Red Flag Culture to Catch Errors, Scams & Fraud

Searching for red flags is crucial in catching errors and detecting fraud. Although being aware of potential fraud risks is a good starting point, that’s all it is—a starting point. There needs to be follow-through in the form of meaningful audit and management action advice. That’s why it’s so important to build and sustain a red flag culture in your organization. 

A Look at Red Flag Culture in Everyday Life & Business

We live in a red flag culture whether we’re aware of it or not. 

Lifeguards at a popular beach hoist a red flag to warn swimmers of dangerous ocean currents. Forest rangers post red flag warnings to alert campers to the dangers of forest fires. Race car drivers stop when a red flag is posted during an event. Physicians warn their patients of the dangers of heart attack, stroke, and other life-threatening diseases by listing the red flag warning signs of those conditions.

If we pay even modest attention to what’s around us, we’ll quickly realize that simple red flag warning practices are present in many routine moments. Our bank warns us of a suspicious transaction on our credit card. Emergency messages are sent to our phones and tablets when severe weather is nearby. Traffic speed monitors light up to tell us we’re driving too fast. News articles are filled with stories of the signs of scams in spam calls and email solicitations.

In short, red flag warnings are an ever-present part of our culture. 

The same is true of the red flags of errors, scams, and outright fraud in our business lives. 

But just as in lifeguard, forest ranger, speed camera, and health warnings, the business red flags are too often ignored until it’s too late and damage has occurred. It’s clear organizations need to adopt a red flag culture to avoid the effects, but that’s easier said than done. 

The Challenge of Bringing Attention to Red Flags

For auditors and other compliance professionals, influencing the business environment is an uphill battle. We don’t have the power of management authority to dictate what to do. So, we use the following to nudge improvement: 

Auditors and other compliance professionals are seen as experts in internal controls. We project that expertise when we suggest practices that prevent or quickly detect errors, scams, and fraud. And one of the most powerful tools we use is questions. For example, “Pat, what do you think about before you approve supplier invoices?” “Mary, what questions do you ask yourself before approving employee timesheets, out-of-pocket reimbursement requests, journal entries, and other day-to-day transactions?” 

Because of our perceived expertise, the question “What do you think about before you approve…” is heard as, “Apparently, there’s a list of things I’m supposed to think about before I approve…”

And that’s where the red flags come in. 

A red flag culture in business is built on a foundation of approver knowledge of transaction red flag warning signs. It’s based on the willingness of reviewers and approvers to pause and consider these red flags of danger before they put their good name and reputation on transaction documents. Knowledge of and reaction to red flags are core elements of any meaningful business risk management effort. 

Here’s why… 

Business risk management revolves around the answers to two questions: 

  1. What could go wrong? 
  2. What would it look like? 

That second question—“What would it look like?”—is the connection to red flags. Unfortunately, it’s this second question that gets inadequate attention during risk brainstorming and related management action step efforts. And it’s the warning sign red flags—what it looks like—that is the key to risk management. 

For example, what does it look like in documents when a supplier invoice is incorrect or overstated? What does it look like when out-of-pocket travel costs have been inflated? What does it look like when a journal entry is used not to adjust financial results but to deceive users of reported financial results?

Reviewers and approvers should be able to answer these questions easily. And that’s what a red flag culture achieves. 

4 Steps to Building a Red Flag Culture 

Establishing a red flag culture in your organization can be challenging, but it’s not impossible. You just need to take it step by step. Let’s break it down into its component parts.

Step 1

When reviewing any transaction, report, variance analysis, journal entry, or dozens of other routine management control documents, start by looking hard at the details. Are there any red flags present? If so, they deserve a closer look. 

Step 2

Processors and managers need to ask, “How do I know this is correct? What is the factual basis upon which I will decide to approve or reject right now?” Pay attention to that last part. There needs to be a factual/historical basis for determining approval or rejection. 

Step 3

When in doubt, doubt—not believe! Don’t ignore the warning signs with a dismissal attitude based on, “Well, it’s probably okay. After all, it hasn’t happened before.” That’s simply not a good position to take when transaction red flags are present (or if lifeguards, forest rangers, car race safety officials, or physicians bring red flags to our attention). 

Step 4

Before approving the transaction, relationship, or event, resolve the red flag or refer it to others with the authority and skills to determine the root cause. Have them conduct a root cause analysis to determine how the anomaly occurred in the first place. 

These are four simple actions that take red flag warnings and build them into a red flag culture focused on action. 

Create a Red Flag Culture That Delivers Confidence

Now that you have a better understanding of what a red flag culture looks like and why it’s important, it’s time to examine your own. How does your organization stand up? If catching errors and detecting fraud is a struggle, you need to close the gap. By following the steps above, you can create a culture where fraud conclusions are made with confidence.