Whenever there is a fraud committed, we hear the term “Internal Controls” thrown around. What exactly does “Internal Controls” mean? Internal Controls are defined as “mechanisms, rules and procedures implemented by a company to ensure the integrity of financial and accounting information, promote accountability and prevent fraud”. In the Accounting and Auditing world, Internal Controls are defined as “a process for assuring achievement of an organizations objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. I would argue that Internal Controls extends well beyond the accounting department and impacts each department under the business’ internal infrastructure.
There are two types of Internal Controls, preventative and detective controls. Preventative controls aim to detect errors or prevent fraud from happening in the first place. They include a thorough documentation and authorization process. Preventative controls also include limiting physical access to equipment, inventory, cash and other assets. Detective controls are designed to catch items or events that may have been missed in the preventative control process. For example, using a bank reconciliation to detect fraudulent financial activity. Detective controls include audits, examinations and inventory activities.
We previously mentioned the term “Separation of Duties”. Separation of Duties involves splitting responsibility for tasks such as bookkeeping, deposits, reporting, auditing, etc. between multiple employees. The more separation between duties or tasks, the less chance a single employee is going to commit a fraudulent act. Further, a rotation of duties amongst staff is also important. This prevents items from being “siloed” or an employee from “building a kingdom”. By rotating duties, the opportunity to bury something or commit fraud decreases because another employee may catch it.
Whenever the latest data breach hits the news the first thing the public is instructed to do is to change their passwords. Businesses should keep a secure list of employee and asset passwords, and control access to items to only those that need it. Further, password accessible items and sites should be examined often to ensure that they are in compliance. Many programs provide an electronic logging system to identify who logged in and when, along with where in the program the employee may have visited. Simply having this type of control system in place may deter an employee from committing a fraudulent act. Enforcing the control system and reviewing it will definitely deter an employee.
A common type of Internal Control used in hospitality and retail is the “spot check”. A manager or supervisor may take over a cash register mid-shift and spot count the cash in the drawer versus the transactions that the register shows as taking place. A spot check can also include physically viewing an asset or comparing cleared and unused checks in an accounting system or drawer. It also includes inventory counts for materials and/or tools. These types of checks can reveal discrepancies in balances and reporting and may even lead to a culprit if conducted often enough.
Using standardized documents helps maintain consistency and may reveal fraudulent and altered transactions. Invoices, Material Requests, Purchase Orders, Receipts, Expense Reports, etc. should always be submitted using a standardized form. If something looks off, such as a different font, logo, alignment, etc. those items should be red-flagged and investigated to ensure authenticity.
Another tool we often refer to is account or bank reconciliation. Back in the old days, we called this “balancing your checkbook”. A reconciliation will ensure that the balance in the accounting system match the balance at the banking or financial institution where the account is held. The reconciliation should include a comparison of cash balances, deposit records, receipts and payments made from the account in question. Keep in mind, the reconciliation usually covers a specific period with a starting and ending balance, such as a monthly bank statement. Reconciliations can also be applied to inventory, vendors, customers and other accounts and business functions.
Requiring written management or supervisor approval may add an extra layer of responsibility and protection. However, this is one area that is often abused as a manager or supervisor may not always have the time to appropriately review a transaction or request and sign off on something they may not have wanted to sign off on. One myth often used by organizations is the “dual signature” for payments made exceeding $X amount of dollars. While the organization may require dual signatures internally, banks are not required to accept dual signatures when processing payments. However, the act of requiring dual signatures may be a fraud prevention measure that may act as a deterrent to someone that may be considering a fraudulent act.
A few more areas to look at implementing in an Internal Control program include conducting background checks on prospective employees, current employees and even past employees. Further, background checks should also be conducted on vendors and active customers. The thing to look for is possible relationships between employee, vendor and/or customer that may cause a fraud to occur. We would also encourage a business to have written Internal Control policies in place and review them with employees periodically. A review of Internal Control policies should also occur and allow items to be updated or clarified. Management and Ownership need to set the tone for Internal Controls and need to enforce policies that let employees and potential fraudsters know that violations of these policies will not be tolerated.
For some businesses, implementation of Internal Controls might be an expensive endeavor. However, the savings from preventing fraud, theft or damage to a business’ reputation would offset any monetary cost associated with enforcing Internal Control measures. Activities included under Internal Control measures consist of authorization, documentation, reconciliation, security and separation of duties. These are all things we have discussed as fraud prevention measures in just about every white paper, case study, video or ad we have ever published.