For The Tribune-Democrat
Internal fraud controls aren’t fire-and-forget. Smart collaboration and ongoing improvement will help keep fraud in check.
The one thing about internal controls is that they can break down over time and can be circumvented.
So here are the basics:
There are several keys to effective fraud prevention, but some of the most important tools in the corporate toolbox are strong internal controls.
Equally important, though, are the company’s attitude toward fraud, internal controls and an ethical organizational culture. While ethical culture is driven by senior management’s control environment or “tone at the top,” buy-in from the company’s board of directors and audit committee also are essential in promoting an ethical and transparent environment.
Internal control is broadly defined as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations, reliability of financial reporting and compliance with applicable laws and regulations.
Internal controls should not be thought of as static.
They are a dynamic and fluid set of tools that evolve over time as the business, technology and fraud environment changes in response to competition, industry practices, legislation, regulation and economic conditions.
While no company, even with the strongest internal controls, is immune to fraud, strengthening internal control policies, processes and procedures definitely makes a company a less-attractive target to both internal and external criminals seeking to exploit internal control weaknesses.
Strengthening internal controls is seldom accomplished by enhancing one process; rather it involves a comprehensive review of the risks faced, the existing internal controls already in place and their adequacy in preventing fraud from occurring.
• Audit interaction.
The first part of strengthening internal controls involves changing the attitude some employees have toward auditors.
It is easy to view auditors as the “internal affairs” group, whose sole responsibility is to ferret out wrongdoing and identify employees who are breaking the rules.
But to be successful, auditors must be viewed as key partners and allies in the battle against fraud. This is further reinforced as the auditor’s role ensures that he or she is always at the forefront of corporate policies, practices, procedures, technology, new products and services. That makes auditors a valuable source of corporate information.
Another way to strengthen internal controls is by improving communication with regular interaction among departments. Communication protocols must be established and agreed upon.
Critical incident notification procedures must be in place to ensure everyone is aware of an incident and understands what their defined roles are when the incident occurs.
The 2010 Association of Certified Fraud Examiners Report to the Nation is enlightening.
The report found that frauds are most likely to be detected through a tip than by any other means. This process may be strengthened through increased promotion of an ethics hotline in company mailings, internal communications, newsletters and the company website.
While not all calls to the ethics hotline are indicative of an internal control weakness or fraud, the ones that are demand increased scrutiny to determine root cause analysis. Once the root cause has been determined, there is an opportunity to strengthen internal controls if a control was either exploited or nonexistent.
• Segregation of duties.
An area where many companies can significantly strengthen their internal controls involves segregation-of-duty policies. This is often considered the primary internal control.
One person should not have sole authority to initiate a transaction, authorize or approve a transaction and complete the transaction without appropriate sign-off processes and varying levels of management approval. Many fraud and theft events take place in companies that lack proper segregation-of-duty policies.
• Lessons learned.
While no company wants to experience internal or external fraud events, victimization may have long-term corporate anti-fraud benefits if all departments have comprehensive incident handling protocols and the incident is handled appropriately after the fact.
A fraud event without in-depth incident evaluation, lessons learned and corrective action generally means that there is an excellent chance the criminals will resume the activity and the company will continue to experience high levels of fraud.
While technology enables us to perform essential business functions, there are direct correlations between technology, fraud events and the internal control process. Technological applications are probably the single greatest source of risk and exposure that businesses face.
Robust internal controls, including platform and network access controls, remote usage and password protection policies, are needed to regulate the entire computing platform.
One thing is certain: Given the ever-changing business and regulatory environment and the number and diversity of types of frauds being committed against companies globally, internal controls must be reviewed, evaluated, tested and strengthened regularly.
It’s insufficient to create internal controls and expect them to stand the test of time without periodically modifying them to meet current conditions.
Click here to subscribe to The Tribune-Democrat print edition.
Click here to subscribe to The Tribune-Democrat e-edition.