An interesting conversation last evening with four anti-fraud professionals I’ve known for years. One discussion question, “Do internal controls prevent fraud?”
The consensus answer: some controls prevent some fraud sometimes!
Let me explain.
Anti-fraud controls are based on a two-step process.
First, a meaningful comprehensive fraud risk assessment is the foundation. If done properly, this effort will result in a deep list of the risks from theft, manipulated financial and other results, corruption, shadow deals, technology, and management override. In performing a fraud risk assessment, ‘meaningful and comprehensive’ are the key. Half-hearted boilerplate efforts by external firms usually fall far short. The best exposure work is done by a dedicated team of insiders with the technical knowledge and street sense needed to ‘think like a thief.’
Second, specific procedures and behaviors are developed, implemented and maintained to prevent these risks from happening and detect them immediately should they occur despite prevention efforts. Listen carefully here. Procedures and behaviors. Daily behaviors by trained conscientious employees and managers.
Here are some high-level examples of what we mean by controls.
1. Clear policies and procedures spelling out approved use of organization assets, staff and information.
2. Limiting physical access. Things like the lock on the front door, the fence around a warehouse, and the security guard in the lobby. The password on your
computer system limits physical access and protects confidential information and critical systems.
3. Authorization responsibilities and limits.
4. Proper documentation in support of transactions and other business activities.
5. Monitoring and analysis. Independent reviews, where appropriate, by someone else at a higher level or a different department.
6. Segregation of incompatible duties. Things like transaction initiation, recording, approval, summarization and analysis. Or the receipt, management and disbursement of funds.
7. Supervisors who pay attention to details, spot check the quality of work, and always make sure what they personally sign is correct.
8. Employees at all levels who will not hesitate to stop the process and sound the alarm when something doesn’t look right.
And this is just the start. There are entire multi-volume models of comprehensive business and anti-fraud controls, perhaps the most famous of which is the COSO Internal Control – Integrated Framework (www.COSO.org).
But there are limits to how far controls will go to protect us against fraud. Here are two examples of the limits:
1. Things change. New people come in. Systems are modified. We move to new cultures and new countries with our product lines. We institute a heavier reliance on technology thus reducing human oversight of details.
2. It’s a human endeavor. The people in the control equation fail to keep up with what’s needed because of:
• Changing risks
• Emerging risks
• Human fatigue
• Inadequate information
• Inadequate skills
• Inadequate attention to details
• Inadequate time to perform the control tasks completely
• Improperly placed trust in others
Well designed anti-fraud controls are an important part of a comprehensive Anti-Fraud Campaign. But it is in fact a campaign – not an event. Controls must come alive and stay alive through human attention to details every single day.
‘Control Procedures’ are the minimum. ‘Controls Behavior’ is the target. Nothing less will work.
John J. Hall, CPA, is an author, speaker and results expert who presents around the world at conventions, corporate meetings and association events. Throughout his 35-year career as a business consultant, corporate executive and professional speaker, John has helped organizations and individuals achieve measurable results. He inspires audience members in corporations, not-for-profit organizations and professional associations to step up, take action and “do what you can.”