Fraud prevention goes beyond robust internal controls

Singapore enters this assessment in the aftermath of its largest money laundering case – a SGD 3 billion syndicate operation uncovered in August 2023 that drew international attention and prompted significant reforms to the country's AML/CFT framework. 

In July 2025, the Monetary Authority of Singapore (MAS) concluded its enforcement sweep of the case, fining nine financial institutions a combined SGD 27.45 million.

MAS found that these firms did not properly implement their own anti‑money laundering and counter‑terrorism financing (AML/CFT) policies, despite having them on paper. In other words, while the controls existed, they were not upheld.

The incident showed that while companies understand the need for structured safeguards to deter, detect and mitigate fraudulent activities, having strong internal controls is not enough to prevent fraud.

The drift is gradual

Control failures rarely begin with a decision to act dishonestly. They begin with small process deviations that individually may seem harmless but collectively create the conditions for serious misconduct.

For instance, a payment is processed but the supporting invoice cannot be located. Rather than escalating the gap, a staff member reconstructs the document from memory and submits it as the original. The audit trail no longer shows what happened. It shows what someone decided it should say.

A superior suggests “making the file complete.” The instruction is soft – framed as administrative tidying, not falsification. The staff member complies because refusing feels disproportionate and clarifying feels like an accusation. This is how tone is set from the top: not through explicit directives, but through the casual normalisation of behaviour that compromises documentation integrity.

An approval is needed quickly. Instead of logging it through the system, someone sends a WhatsApp message or gives a verbal nod. The transaction proceeds. Everything looks normal. But the approval system exists precisely because trust is not a control. When approvals go offline, the independent record disappears.

Each action is easy to justify in isolation. Together, they erode the conditions that allow controls to function and create the environment in which more serious misconduct takes root.

The warnings were there

In most forensic investigations we conducted, the warning signs predate the problem by months, sometimes years. They were present in the documents, in staff behaviour, and in the language used within the organisation, but were not addressed.

The early indicators are consistent across cases:

• Subtle inconsistencies across documents – differences in dates, amounts, or approval signatures between records that should match.
• Records created after the event rather than at the time of the transaction.
• Explanations that shift depending on who is asking, a sign that people have learned to manage information rather than disclose it.
• Language like “let’s recreate it”, “just tidy the file,” “make it complete”. These indicate the organisation has developed a shared understanding that documentation can be adjusted.

The question is not whether these signals can be recognised.  The question is whether anyone in the organisation is positioned to act on them without fear of what happens next.

What external audit can and cannot do

A common assumption is that the external auditor will catch what management misses. It is worth being precise about what that means in practice.

External audit is designed to provide independent assurance on financial statements. A diligent auditor who pursues inconsistencies, presses on gaps, and declines to accept explanations at face value can surface early indicators of control failure. That has value. But audit operates on a sample, on a cycle, and on information that management controls. An organisation that has normalised document reconstruction, offline approvals and shifting explanations is also capable of presenting a clean face to an external reviewer.

Treating external audit as a fraud detection safety net is a misunderstanding of its purpose and a dangerous outsourcing of accountability. The responsibility for control integrity sits with the organisation. Audit can provide a check. It cannot substitute for ownership.

Create an environment that makes fraud inhospitable

A robust fraud detection system is not built by adding more forms, more checklists, or more policy documents. Beyond adding more processes, fraud detection requires a holistic, multi-faceted approach that integrates culture and systems.

Psychological safety is the foundation. People must feel safe to question unusual instructions and escalate concerns without fearing professional consequences. This is not achieved through a policy that says “we encourage speaking up.” It is achieved through what visibly happens to the person who does.

In addition, systems should be designed to make doing the right thing the easiest and automatic option. If records can be modified after the fact, approvals can bypass the system, and transactions can be backdated, the environment accommodates misconduct whether or not anyone intends it. The path of least resistance should lead to compliance, not around it.

Furthermore, leadership must track behaviour, not just outcomes. Files that pass review, numbers that hit targets, and transactions that look clean can all coexist with a control environment that is quietly deteriorating. The signs are in how people behave: defensiveness when questioned, shifting explanations, reluctance to follow process under pressure. Leaders who notice and address these behavioural red flags early can fix the culture before problems compound.

Thicker compliance manuals and more intricate processes are rarely the answer to enhanced fraud prevention. The best fraud prevention strategy is creating an environment that becomes inhospitable to fraud.