As we discussed in Part 1 of this series of articles, when management of an organization relies solely on an annual audit of its financial statements by an independent CPA firm as its protection against occupational fraud, the organization is probably not nearly as well protected as management believes. While an annual audit is a good idea, it must be supplemented by other fraud prevention policies and procedures. One of the best steps management can take is to create, implement and maintain a strong system of internal controls.
What exactly is a system of internal controls? Simply defined, a system of internal controls is the policies and procedures adopted by an organization to achieve two basic goals – safeguarding the assets (resources) of the organization and promoting accuracy and reliability in the accounting records. Management of an organization that safeguards its assets and makes decisions based on reliable accounting information is much more likely to maintain a healthy and effective entity than the management of an organization that downplays the value of internal controls. And, a potential benefit of good internal controls is the detection and prevention of occupational fraud that can drain an organization of its resources.
According to a survey conducted by the Association of Certified Fraud Examiners (ACFE) in 2008, 23% of documented occupational frauds were initially detected by the system of internal controls. As mentioned earlier, only about 9% of documented occupational frauds were detected by independent auditors. Does this mean that a strong system of internal controls is more effective in preventing fraud than an independent audit? Perhaps it does. After all, as stated above, one of the basic objectives of the system of internal controls is the safeguarding of assets. But, that statistic may also demonstrate that organizations with strong internal controls detected fraudulent activity and dealt with the situation before the independent auditors ever arrived. If this is the case, then there is probably no better justification for a strong system of internal controls than the potential to detect and eliminate fraud in its early stages. Common sense will tell you, as will any Certified Fraud Examiner (CFE), that the earlier a fraud is detected and stopped, the lower the ultimate cost to the organization.
So, what does it take to have a strong system of internal controls? There are two basic requirements to achieve that end. First, the system for any organization must be appropriately designed to be effective for that organization. Many times as we perform services as CPAs or as CFEs we study the system of internal controls of an organization and find that it is so poorly designed and has so many shortcomings that the chances of it being effective are minimal. And, conversely, the chances of theft or misappropriation of assets are optimal. There is no such thing as a generic system of controls. Every system must be tailored to meet the needs of the individual organization and when management of an organization designs its system by copying the system of another organization, they may well be setting themselves up for disaster.
The second requirement for a strong system of internal controls is that it must be properly implemented and maintained. Obviously, no matter how well designed the system is, it will not be effective if it is not followed. Sometimes members of management take great pride in the design of their system of controls and operate with great confidence in its effectiveness. They are often appalled to learn later, sometimes after the discovery of fraud, that their brilliantly designed system was never actually implemented or has not been followed by their staff. Perhaps the staff did not understand what they were required to do, or perhaps they did not see the point and decided that the required procedures were not worth the effort. Whatever the reason, a system of controls, no matter how well designed, will not be effective if it is never implemented or if it is not maintained as designed.
If you’re interested in learning more about your internal controls or have your questions answered, contact our experts by filling in the form below.