Preventing Fraud: How Solid are Your Internal Controls?

John A. Merchant, CPA, CFE, CFF

Fraud in the workplace has become a major topic of conversation over the past few years.  It seems that frauds of various types are being reported at a rate far greater than just a decade ago.  Are there really more frauds being committed today than ten years ago, or are we just getting better at finding them?

Whatever the answer to that question is, it is clear that one of the best methods of detecting and preventing fraud is a strong system of internal controls.  According to studies done by the Association of Certified Fraud Examiners, 19% of detected frauds are uncovered by internal controls.  In comparison, only 12% are uncovered by audits. This does not mean that audits are ineffective.  This finding occurs because organizations that have strong internal controls are able to detect and stop frauds before the auditors start their work.  And, of course, earlier detection normally means smaller losses for the organization.

How strong are the internal controls of your organization?  Are they adequate to safeguard the organization’s assets?  Are they well designed and appropriately implemented so that fraudulent acts will quickly come to light?  Are they strong enough that potential thieves know they will get caught, and therefore don’t even try?

Assess Your Internal Controls

Following are a dozen basic questions that should be answered “yes” for most organizations. Ask yourself these questions and rate your organization’s controls:

  • Are two signatures required on checks and are both signers required to review backup documentation for the disbursement before signing?
  • Are bank reconciliations prepared by someone who does not have check signing authority?
  • Are accounts receivable records maintained by someone who does not deal with cash receipts and bank deposits?
  • Are fixed assets tagged for identification and periodically inventoried?
  • Are accounts payable records maintained by someone who does not deal with cash disbursements?
  • Are accounting and billing personnel required to take annual vacations?
  • Are journal entries approved and posted by someone other than the person who originated them?
  • Are vendors paid only from original invoices, not from statements or fax copies?
  • Are payments to vendors mailed out by someone other than the person who originated the payment?
  • Are computer passwords kept secret and changed on a regular basis?
  • Are terminated employees immediately denied access to your computer network?
  • Are reports of data changes and overrides in your computer system regularly produced and reviewed?

The Consequences of Weak Internal Controls

Our experience shows that organizations that answered “no” to some of these questions often came to regret it.  For example:

  • An accounting clerk who never took vacations ran a check kiting (substitution) scheme that was not detected for months.
  • A controller who made journal entries that no one ever reviewed covered his unauthorized expenditures by adjusting expense accounts to cover up budget variances caused by his theft.
  • An employee with access to the database of an employee benefit plan accessed participant addresses and changed some to her home address.  Thus, she received, and kept, benefit payments that should have gone to participants.
  • A bookkeeper generated duplicate payments to vendors by using statements instead of original invoices, called the vendors about the overpayments and had refund checks sent to her attention.  Those refund checks never made it to the organization’s bank account.

How did you do on the questions?  If you could not answer “yes” to all of them, or you really are not sure about the answers, it is probably time for an independent evaluation of your control procedures.  The questions above only cover very basic controls and only scratch the surface in comparison to the inquiries in a true study and evaluation.

Internal Control Studies

One of the fraud prevention services we offer is a study and evaluation of both the design and the implementation of an organization’s controls.  Such a study involves far more in-depth questions than those above and often uncovers flaws and shortcomings in the system.  Once we dig in, we often uncover “holes” in the system of controls that no one had ever thought of before.  Sometimes an organization’s system of controls is flawed because it is not properly designed for that organization.  In other cases, the system of controls is properly designed but has not been properly implemented.  Either way, the organization has a problem.

So, how do you rate the controls of your organization?  As Certified Public Accountants and Certified Fraud Examiners, we routinely perform both fraud prevention services and fraud detection services for clients.  We can get involved in fraud prevention, and help you stop losses due to fraud before they occur. Or, we can get involved in fraud detection and help you determine how much you have lost after a fraud has occurred.  We prefer to get involved in prevention. Wouldn’t you prefer it that way too?

Share this post