Many leaders of organizations treat internal controls as a tedious task that sits at the bottom of their to-do list, and, because just about no one ever gets to the bottom of their to-do list, often those matters are never addressed. But internal controls are essential when it comes to preventing and detecting fraud, and CPAs are often the ones who must raise the issue or implement improvements.
Internal controls are a powerful tool to protect an organization’s interests and assets. Effective internal controls help organizations prevent fraud and detect it early, thus mitigating losses. A well-designed internal control system can lead to more effective and efficient operations because, for example, it allows organizations to identify and improve upon duplicate or unnecessary procedures and weaknesses in their systems. Finally, organizations have internal controls to comply with applicable laws and regulations. Being on the wrong side of laws and regulations can be very expensive for organizations, both in terms of fines and judgments and in negative hits to the organization’s reputation.
This article provides an overview for newer CPAs, and a refresher for more experienced ones, on the basics of internal controls.
TYPES OF INTERNAL CONTROLS
There are three main types of internal controls, as discussed in more detail later:
- Preventive controls:These controls are put in place to prevent fraud from occurring in the first place.
- Detective controls:These controls are used to discover fraud, should it occur despite the preventive controls in place.
- Corrective controls:These are controls put in place after the detective controls discover fraud.
ASSESSING RISK
The first step to designing and implementing an effective control system is performing a risk assessment. This can be documented in a risk assessment matrix. During a risk assessment, organizations study processes and identify the risks of fraud in those processes. These risks are theinherent risks. These risks are then ranked to determine the likelihood of the risk’s occurring and the impact of that occurrence.
Once risks are ranked in this manner, organizations can then institute controls to address these risks, beginning with those that are both highly likely to occur and would have a significant impact on the organization. An organization’s goal should be to get to the point where, after controls have been instituted, the risk that remains, theresidual risk, is at a level that they can live with. Armed with the risk assessment, an organization can then design controls to address those risks.
A very common fraud is the fictitious vendor scheme, where an employee steals the employer’s money by creating fictitious vendors and invoices that direct payments to that employee or a related party. Looking at the first step of creating a new vendor, an organization can begin by documenting the process and ask themselves questions like:
- Who has the ability to create a new vendor profile?
- Is the creation of new accounts one of that person’s duties or does that person have access that is irrelevant to their job?
- Is the vendor listing regularly reviewed to ensure that active vendor accounts are valid?
- Can you tell which employee created the new account?
In the risk assessment matrix, the organization will record the risks surfaced by these questions, the likelihood of those events happening, and the impact of those events. In this example, there is the risk that an employee might create fake vendor accounts because they have been granted unnecessary access to the vendor system and because no one will know it was they who created the account. If the vendor listing is not reviewed, an employee may steal money from the organization using the fake vendor account.
A completed risk assessment matrix gives organizations a straightforward approach to recognizing where risks are, and which should be prioritized, and enables informed decisions regarding residual risk.
PREVENTIVE CONTROLS: PREVENTION IS BETTER THAN CURE
The saying “prevention is better than cure,” often attributed to the philosopher Desiderius Erasmus (1466–1536), is as applicable to the financial realm as it is to medicine. Because it generally costs an organization more to recover from fraud that has been committed than it loses from the fraud itself, it is especially important to prioritize strategies to prevent fraud from occurring in the first place. Examples of preventive controls are:
- Segregation of duties:The core principle of the segregation of duties is that no one person should be able to abuse the system on their own. For example, the person receiving cash should not be the same person who is responsible for recording how much was received, depositing those funds, or reconciling the bank account.
- IT passwords and access controls:Ideally, organizations should employ the principle of least privilege, which means that users should only have the level of access required to do their required tasks and no more than that.
- Physical controls over assets:Similar to IT access controls, individuals in an organization should only have access to physical parts of the organization (such as machine rooms) if this is required for their job.
- Training and testing:Employees should receive training in how to carry out their tasks, and there should be regular testing to ensure that tasks are being executed as recorded.
- Firewalls and backups:Firewalls are built to protect the organization from outside attacks, and regular backups prevent catastrophic damage should an event occur.
DETECTIVE CONTROLS: NECESSARY BECAUSE PREVENTIVE CONTROLS ARE NOT PERFECT
Although preventive internal controls mitigate the risk of fraud, they are not infallible. After a risk assessment, an organization will still have a residual risk of fraud. The organization should also consider the fact that, as well as controls may be designed, parties determined to perpetrate a fraud are working hard at figuring out how to get past those controls. Detective controls should be designed to catch fraud or error early and to reduce the impact should an event occur. Examples of detective controls include:
- Physical inventory checks:For organizations that manufacture or carry physical goods, inventory checks are vital to ensure that what is recorded in the financial records actually exists.
- Account reconciliations:Balance sheet general ledger balances should be reconciled to subsidiary ledgers, supporting schedules, or third-party documentation, such as a bank account. Differences should be explained and investigated if they cannot be explained.
- Review and assessment of current controls.
Another aspect of detective controls is that they often work to piece together what happened and address questions such as:
- What caused the event to occur?
- What process or processes failed that allowed the event to occur?
- What can we do to keep it from happening again?
CORRECTIVE CONTROLS: BUILDING ACCOUNTABILITY AND CONTINUOUS IMPROVEMENT
Once fraud has been discovered, organizations should respond quickly and decisively, taking corrective action and revisiting existing controls to improve upon them. Corrective controls should be designed to correct fraud that has occurred and ensure that similar events are not repeated. Examples include:
- Disciplinary action:When fraud occurs, firm disciplinary action should be taken to deter other employees from committing fraud in the future. Should one find that the discovered event is due to error and not fraud, positive discipline, such as training, should be taken. The positive actions should make employees feel safe to report errors that they have made without fear. The last thing an organization needs is employees hiding errors that can metastasize into disasters before they are discovered.
- Software patches or modifications:In our increasingly technological world, many events can be corrected with software patches.
- New policies that address the weaknesses that have been discovered.
Even when events have not occurred, organizations should seek to continuously improve processes, performing process reviews and risk assessments to address inherent risks and maintain manageable levels of residual risk.
TONE AT THE TOP
Anchoring an effective control system is a culture that values ethics and seeks to be free of fraud, dishonesty, and corruption. Without this, controls don’t go much further than documentation. Effective control systems begin with the tone at the top of an organization. It is not enough for organizations to state values on their website, in their financial statements, and in employee manuals. Leaders in organizations should do more than pay lip service to ethics and honesty in an organization; they must practice ethical behavior, show integrity, and take corrective action when values are compromised by others in their organization. When employees know that they will not be disciplined and may even be rewarded for bad behavior, they will be more prone to practice bad behavior. When employees observe leadership overriding internal controls and ignoring policies, it sends the message not only that these controls are unimportant and not valued but also that the organization is likely easy to defraud.
PROTECT YOURSELF
If you heard that a person who kept the doors to their home wide open and all their prized valuables displayed in their front window had those valuables stolen, you might not have much sympathy for that person. An organization without well-designed and effective controls is akin to such a home, barely stopping short of putting out an ad that all assets are up for grabs. Make sure that your organization, or your client’s, has carefully considered its internal controls.
About the author
Rumbi Bwerinofa-Petrozzello, CPA/CFF, CFE, is head of strategy, consulting, at Seramount in New York City. She is a past president of the New York State Society of CPAs.To comment on this article or to suggest an idea for another article, contactjoaed@aicpa.org.
LEARNING RESOURCE
Fraud Risk Management Guide,2nd Edition
This guide offers a blueprint for helping organizations establish an overall fraud risk management program. (See theexecutive summary.)
PUBLICATION
For more information or to make a purchase, go toaicpa-cima.com/cpe-learningor call the Institute at888-777-7077.
AICPA & CIMA RESOURCES
Articles
“Auditing Best Practices: What Academic Fraud Research Reveals,”JofA, Jan. 20, 2023
“Fraud Is Suspected: Now What?”JofA, Aug. 2022
“6 Ways to Make the Entire Organization Care About Anti-Fraud Efforts,”JofA, Oct. 18, 2021
Podcast episode
“Won’t Get Fooled Again: The Who, What, and Why of Fraud,”JofA, March 2, 2023
CFF credential
TheCertified in Financial Forensics (CFF) credentialpositions forensic accounting professionals for increased demand in one of the fastest-growing specialty areas for CPAs. To become a CFF credential holder, the CFF Roadmap serves as a step-by-step guide illustrating how a CPA, at any level of expertise, can utilize the resources provided to FVS Section members to embark on the journey of obtaining the AICPA’s CPA-exclusive forensic accounting credential.
Other resource
