How strong are the internal controls in your organization?
Three Arrested on Charges of Defrauding City. Employee Accused of Stealing More Than $25K from Company. Former County Deputy Accused of Grand Theft and Money Laundering. Do these headlines sound familiar?
Fraud in the workplace continues to be a hot topic in the news. We’ve heard countless stories involving individuals who have managed to find a loophole, often with their schemes going unnoticed for weeks, months or sometimes even years before being discovered. Have wayward employees learned to better circumvent the system, or have workplace safeguards grown weaker? Whichever the case may be, developing and enforcing strong internal controls is key to better preventing and detecting fraud.
Unfortunately, many employers don’t understand the importance of internal controls or where their corporation may be lacking until it is too late. It’s a far-too-common tale: company management thinks of internal controls as a foreign concept and fraud as an issue out of sight and out of mind—until something goes horribly wrong. By the time the fraud has been discovered, it is already too late—the damage has been done.
Often, internal controls are thought of as something of concern only to auditors. However, company management must understand the importance of having these controls in place and how they are essential to protecting the organization. So what exactly are internal controls?
An excellent metaphor to explain internal controls is a lockbox or a safe. Could someone manage to break into a locked safe? While it’s possible, it would most likely take a great deal of thought and effort to do so. Strong internal controls are very similar. They are safety measures put in place to help protect the organization’s assets, encourage incorruptibility and deter fraudulent activity. The strongest internal control environments are typically comprised of the following components:
- Management integrity. Improving faulty internal controls begins with the tone at the top. It’s simple, but effective. When employees observe an authority figure acting in an ethical manner, it often creates an expectation within the organization’s culture. Management might try communicating this expectation through training sessions, handbooks or procedural manuals. Ultimately, it’s the enforcement of the controls that is the major indicator of management’s commitment to a successful internal control system.
- Competent personnel. In theory, a skilled staff should reduce error and improve financial accuracy in financial records. An organization’s ability to recruit and retain competent personnel is an indicator of the high standard to which it holds itself.
- Segregation of duties. This component is critical in helping to reduce the risk of inappropriate activity, as well as mistakes. In essence, accounting, authoritative and custodial duties should be separated among different employees within the organization. Unfortunately, this step can be difficult to achieve for many small organizations, which may not have the necessary resources to implement this component. In such organizations, serious consideration should be taken in determining roles for employees. As an auditor, I have come to realize many organizations do not understand why this is such an important component. Often, auditors’ suggestions may be viewed as an inconvenience or a baseless way of making employees perform additional work. They don’t necessarily understand why it is important that a second employee make the bank deposit, rather than the employee who entered the receipts into the system. However, allowing the same employee to enter receipts and make the bank deposit significantly increases the organization’s vulnerability to error or fraud—that is why it is important to explain why these duties should be separated.
- Record maintenance. A proper trail should be maintained for all business transactions. Not only does proper recordkeeping increase efficiency, it could also help deter an employee from creating fake transactions.
- Safeguards. This component assists in preventing unauthorized access to any valuable company information and can come in a variety of forms, whether physical, such as locks on file drawers, or intangible, such as passwords on computers.
Most fraud cases are inside jobs—the result of insufficient controls within the organization. This is why it is essential that management understand the importance of having strong internal controls in place, as well as the risks in circumventing them and the consequences of abusing them.
Poor internal controls can affect multiple areas within an organization. For instance, financial performance can become inaccurate or difficult to track or forecast. Also, lack of attention to security can cause privacy concerns, providing unauthorized access to sensitive information, including financial records or customer data. Without safeguards in place, an organization opens itself up to theft or misappropriation of assets by employees.
By focusing on the effectiveness of internal controls and implementing a comprehensive set of policies and procedures, a company can mitigate its liability to these risks. Employees should be held accountable for ethical behavior and a high level of business conduct to ensure transactions are processed properly and information is reliable. Further, to create additional safeguards, only necessary employees who require access should be allowed rights to valuable client information and/or certain applications. By cultivating a company culture in which there is continual monitoring of controls and in which employees feel comfortable reporting misconduct, the risk of fraud within an organization can be minimized. iBi
Allie Fisher, CPA is a senior accountant in the Audit Services Department at Heinold Banwart, Ltd. She can be reached at (309) 694-4251 or [email protected].