Fraud prevention: Improving internal controls
Internal fraud controls aren't fire-and-forget. Smart collaboration and ongoing improvement will help keep fraud in check. Here are the basics.
By Daniel Draz, M.S., CFE
March 28, 2011 — CSO —
There are several keys to effective fraud prevention, but some of the most important tools in the corporate toolbox are strong internal controls. Equally important, though, are the company's attitude towards fraud, internal controls and an ethical organizational culture. While ethical culture is driven by senior management's control environment ("tone at the top"), buy in from the company's Board of Directors and Audit Committee are also essential in promoting an ethical and transparent environment.
The focus of this article is on strengthening internal controls. According to the Committee of Sponsoring Organizations (COSO),
Internal controls should not be thought of as "static." They are a dynamic and fluid set of tools which evolve over time as the business, technology and fraud environment changes in response to competition, industry practices, legislation, regulation and current economic conditions.
Missing checks and disappearing funds: Take an exclusive look inside the Anatomy of a fraud
While no company, even with the strongest internal controls, is immune from fraud, strengthening internal control policies, processes and procedures definitely makes companies a less attractive target to both internal and external criminals seeking to exploit internal control weaknesses.
Strengthening internal controls is seldom accomplished by enhancing one process; rather it involves a comprehensive review of the risks faced, the existing internal controls already in place and their adequacy in preventing fraud from occurring. An internal control review may be conducted corporate-wide or on a location by location basis, or broken down to the individual business unit level. Generally, a review of this nature involves an in depth examination of people, processes and technology. However, there are other intangibles your organization can not afford to overlook.
Audit InteractionThe first part of strengthening internal controls involves changing the attitude some employees have towards auditors. While it is easy to view auditors as the police department's "Internal Affairs" group—whose sole responsibility it is to ferret out wrongdoing—identifying employees who are breaking the rules, personal and professional success is to be had by viewing auditors as key partners and allies in the battle against fraud. This is further reinforced as the auditor's role ensures that he or she is always at the forefront of corporate policies, practices, procedures, technology, new products and services, making auditors a valuable source of corporate information.
Secondly, part of strengthening internal controls is simply a matter of defining, or clarifying, ownership roles and responsibilities.
A common misperception among corporate employees is that internal controls are solely the responsibility of the company's Audit Department. While internal auditors measure the effectiveness of internal control through their efforts, they don't generally assume ownership. They assess whether the controls are properly designed, implemented and working effectively and make recommendations on how to improve internal control.
According to the Institute of Internal Auditors (IIA), "responsibility for the system of internal control within a typical organization is a shared responsibility among all the executives, with leadership normally provided by the CFO."