1.3.1 Defining Internal Control Objectives
1.3.2 Basic Controls
Developing an understanding of the various factors that contribute to the risk of fraud is only the first step in a fraud prevention strategy. Following this, it is necessary to implement policies that will help to reduce the threat.
Some of the measures that can guard against the threat of fraud were explained previously in this chapter. Consider what is perhaps the main, and certainly the most common, prevention tool: a good system of internal controls.
1.3.1 Defining Internal Control Objectives
In recent years, fraud proofing has appeared in the literature and some seminars. This term is somewhat misleading, however, because no internal control system can completely eliminate the risk of fraud. What fraud proofing should do, in theory, is reduce the risk of fraud to an acceptable level. If you have suffered from a fraud attack, consider interviewing the fraudster after the case is closed. Many fraudsters have a bit of braggadocio in them and, as a result, are only too willing to let you in on the very holes in your control system that they exploited.
The risk of fraud is not the only factor in defining internal control objectives; for example, management information and reporting requirements are important considerations as well. However, the acceptable levels of risk and opportunity, as defined in section 1.1.6 should also be considered. This means effectively combining the three levels of internal control-basic, supervisory, and audit (see sections 1.3.2-1.3.4)-to limit the risk of fraud to acceptable levels.
Back to top
1.3.2 Basic Controls
A variety of basic controls exist in a typical system of internal controls. The most relevant basic controls are grouped into three categories: physical access, job descriptions, and accounting reconciliations and analyses.
Most people acknowledge the need to control physical access to valuable assets including intangible assets such as information. Measures to control physical access include the obvious practice of locking doors, desks, and file cabinets so that unauthorized personnel, either within or outside the organization, cannot gain access. Other measures include employee IDs and passwords, computerized security systems (for example, access cards that record time of entry and exit), and electronic surveillance systems, which should include every new innovation, such as biometrics-including, for example, iris scans and voice recognition-that the business can afford.
As a general rule, organizations should restrict physical access to those who require it to perform their job function. Of course, controlling physical access in this way will not completely reduce the risk of fraud. However, it will help to reduce the risk in the following ways:
· Many frauds require that the perpetrator come into physical contact with either the asset being misappropriated, or the related asset records, in order to conceal the fraud. Reducing physical access reduces opportunity.
· Physical access controls are often the most visible to potential perpetrators. Strong controls in this area send a powerful deterrent message vis-à-vis the other controls in the system. Conversely, loose physical controls invite challenge.
· Access controls that do not prevent fraud often assist in the fraud investigation process (for example, determining what actually happened and narrowing down suspects).
Carefully screening who had access to cash receipts would have saved one U.S. County Clerk much grief. According to a newspaper report, a temporary employee was stationed at the front desk to handle passport applications, including collecting the necessary fees. The temp properly recorded and submitted for processing those applications paid for by check or money order. She pocketed any cash received and destroyed all evidence of the cash applications so that there was no record of the transaction. Not paying attention to controlling physical access led to several thousands of dollars in losses.
Formal, specific job descriptions are a very effective fraud prevention tool. These descriptions should spell out exactly what is expected of each employee. Generally, employees should not perform duties outside their job description. Those who do, represent a significant red flag.
Create job descriptions that reflect the important principle of division of duties. For example, employees with physical control over an asset should not also keep the records relating to that asset (this will only make it easier for them to cover up the fraud). Segregate all other especially sensitive duties-for example purchasing and check signing.
The need for job descriptions goes beyond the widely recognized concept of segregating duties, although it is certainly one of the important consequences of job descriptions. Some cases may result in an entirely appropriate duplication of duties, for example, double signing checks. Specify in the job description that all employees must take annual vacations (another well known fraud prevention tool, because an employer can more likely discover perpetrators running an ongoing fraud scheme when they're removed from the scene).
Thus, it is apparent that employers must approach the process of formulating job descriptions for their employees in an integrated fashion. From an internal-control and fraud-prevention perspective, different tasks performed by different individuals may be interrelated; therefore, an appropriate job description for one employee will often depend on the job descriptions of others, and vice versa.
Employers often ignore or underestimate the need for formal job descriptions, writing them off as "more useless paper." At other times, employers create job descriptions but then ignore them. This attitude invites trouble. As one leading fraud investigator put it: "When people begin to do things outside their job description, you have reason to be concerned. If it goes unrewarded, they begin to develop a justification to steal. It's very important that job descriptions are clear, agreed upon, and adhered to."
Accounting Reconciliations and Analyses
After access controls and job descriptions, accounting reconciliations and analyses are the third most important group of basic controls. An essential ingredient of a successful fraud is successful concealment. Regular, appropriately performed accounting reconciliations and analyses often make such concealment difficult or impossible.
Perform accounting reconciliations regularly (for example, monthly basis) including:
· Bank reconciliations, for all accounts
· Accounts receivable reconciliations (both month to month and general ledger to subledger)
· Accounts payable reconciliations (again, both month to month and general ledger to subledger)
The exact nature of the accounting analyses performed depends on the nature of the organization's operations. Analyses relevant for most organizations include:
· Variance analysis of general ledger accounts (budget to actual, current year versus prior year, and so on)
· Vertical analysis of profit and loss accounts (that is, calculation of expenses as a percentage of sales, and comparison of these percentages with historical standards, or budgets, or both)
· Detailed sales and major expense analyses (for example, by product line or territory)
Of course, organizations often undertake accounting reconciliations and analyses with other purposes in mind-for example, to make management decisions or to ensure the accuracy of the accounting records, or both. Nevertheless, this process also can highlight discrepancies that point to fraud.
Back to top
Supervision represents the second level of internal control. From a fraud prevention perspective, strong supervision is vital—especially in small businesses that may have difficulty achieving segregation of duties.
Note that active supervision most definitely differs from supervisory or management override, in which a manager or supervisor actually takes charge of or alters the work of a subordinate. In fact, override itself is a red flag-that is, it suggests that the manager or supervisor may be engaged in fraud or the concealment of one. Allow basic controls to operate as they were intended, rather than to be circumvented by those at higher levels.
As a fraud prevention mechanism, good supervision consists of:
· Fraud awareness
· Approval, review, double-checking and redoing
Fraud prevention specialists constantly emphasize the need for "fraud awareness," to the point that the term has almost become a cliché. However, such awareness is perhaps the key prerequisite in building any effective fraud prevention strategy, and is especially important at the supervisory level.
Specifically, supervisors must be alert to the possibility of fraud whenever an unusual or exceptional situation occurs, such as complaints from suppliers or customers, discrepancies that don't make sense, or accounting reconciliations that don't balance. If a manager's mind is closed to the possibility of fraud during an unusual or exceptional situation, the risk of the fraud continuing unabated greatly increases.
Several businesses have had positive results in raising employees' awareness by publishing regular internal newsletters. In addition to reporting actual fraudulent activities, the newsletters relate the impact of the fraud on both the employees and the bottom line.
Approval, Review, Double-checking and Redoing
In addition to awareness, fraud prevention demands that supervisors actually supervise. This means going beyond the typical approval function, such as initialing invoices or performing other duties of supervisors and managers. A more thorough review, double-checking employees' work, and redoing some tasks, may be necessary and should be approached diligently. For example, assign supervisors the responsibility of double-checking important procedures such as the monthly bank reconciliation-that is, comparing the numbers on the bank reconciliations to those on the bank statements and in the general ledger, making certain those numbers total correctly, test-checking outstanding items at the very least, and so on. To simply initial bank reconciliations in a habitual or reflex-like manner without really reviewing and actually redoing them invites fraud.
For example, the owner of a busy downtown restaurant used the following system of internal control for sales. Employees entered all prenumbered customer bills into the cash register, and at least once each day the hostess/bookkeeper batched the customer bills, listed them on a deposit sheet, and made the related bank deposit.
The owner then matched the totals on the deposit sheet with the amounts shown in the stamped deposit book, and believed this to be adequate supervision.
The owner's supervision of the bookkeeper, however, was inadequate especially because she was responsible for handling the cash (the bank deposit) and related records (customer bills, cash register tapes, deposit sheets). In fact, over a three-month period, the bookkeeper skimmed a portion of each day's cash receipts by omitting some of the cash sales bills and pocketing the corresponding amounts. The owner might have uncovered the fraud by using any one of the following methods:
· Segregating duties: The owner rejected this method because he trusted the bookkeeper and did not want to incur the cost of an additional employee.
· Accounting for all prenumbered bills: The owner opted not to use prenumbered bills because it was too time-consuming. The bookkeeper intentionally did not list the bills in numbered order on the deposit sheet and prenumbered books were issued out of sequence to waiters and waitresses.
· Matching daily cash register tapes to the daily cash deposit: The owner rejected this simplest and most appropriate method; not wanting to check his employee's work in this way because the tapes were a messy "dog's breakfast" kept in a shoe box by the bookkeeper, entirely by design, of course, to cover up the fraud.
The owner eventually uncovered the fraud when the bookkeeper became too greedy and withheld a bit too much from what the owner knew was an especially good cash sales day, which raised his suspicions and lead to an investigation.
This example illustrates the necessity of supervision: often it is the primary defense against ongoing frauds such as the skimming of cash or the lapping of accounts receivable. The maximum opportunity level for the bookkeeper in the previous example should have been the outright theft of the day's cash receipts-typically less than half of a day's total receipts of about $10,000. However, inadequate supervision allowed a smaller amount of cash-about $700 a day-to be stolen over a period of three months, which amounted to a total loss of over $60,000.
Back to top
From a fraud-prevention perspective, audit represents the third level of an organization's internal control system.
Internal auditors work for the organization and perform the kinds of work defined by senior management. In this sense, internal auditors are an extension of senior management-they have the same concerns and deal with the same issues described throughout this chapter. Therefore, their work might include fraud detection, or developing fraud prevention mechanisms, or both.
The training programs and available literature for internal auditors-as provided by the Institute of Internal Auditors (IIA)-pay specific attention to the issue of fraud prevention and detection. Historically the perspective of internal auditors differs from that of the external auditors, which is described below.
External auditors are independent of the organization. They report on financial statements and perform other independent reviews. The restricted role of the external auditor has evolved over time. During the late 1800s and into the early 1900s, auditors actively looked for fraud-to be a kind of "bloodhound." Court rulings redefined their role to that of a "watchdog." Today, auditors are expected to bark if they see something suspicious, but they are not expected to sniff around for things that might be suspicious.
This watchdog metaphor has persisted throughout most of the twentieth century. In particular, the concept of materiality has played an important part in the accounting profession's view of fraud, which is, specifically, that an auditor's procedures cannot be expected to detect immaterial frauds. No audit can be expected to give absolute assurances in this area, and even limited assurances would require procedures so extensive that the audit would be uneconomical. If a fraud is material enough to affect the financial statements of an organization-and an auditor's opinion on those financial statements-then the auditor's procedures may uncover it. However, there is certainly no guarantee of detection. For example, even when the auditor's procedures are sound, the perpetrator(s) may go to extensive lengths to deceive the auditor and hide the defalcation.
Back to top