Risk Assessment and Internal Controls: Key Elements to Prevent FraudBondBeebe
John Merchant, CPA
Is your organization safe from fraud? The answer to that question will depend on your answers to a number of other important questions:Risk Assessment Internal Controls
- Are the internal controls of your organization sufficient to prevent fraud?
- Did you perform a risk assessment prior to implementation of those controls?
- Do you monitor the effectiveness of the system of controls?
These are some of the questions that you and those charged with the governance of your company should constantly be considering to help keep your company safe. Whether you own a small business, run a burgeoning enterprise, or oversee a charitable organization, developing a proper system of internal control and regularly monitoring risk is essential for fraud prevention.
The Committee of Sponsoring Organizations (COSO) has developed definitions and guidelines regarding the procedures that should be followed in assessing risk and developing and maintaining a good system of internal controls in order to reduce the risk of fraud. COSO defines internal controls as the processes implemented to provide reasonable assurance regarding 1) the reliability of financial information, 2) compliance with laws and regulations, and 3) effectiveness and efficiency of operations.
There are five basic elements that lead to a good system of internal control. These elements are control environment, risk assessment, control activities, monitoring, and information and communications. Let’s break these elements down to look at how they can be implemented in your company.
Control Environment. Any good system of internal controls must begin with the control environment, particularly the “tone at the top.” You must make it clear to employees, investors, vendors, customers and competitors that the company will be run honestly and ethically and deviations from this policy will not be tolerated.
Risk Assessment. Once a proper tone is established, you should then perform a risk assessment. What areas of financial reporting are most vulnerable to fraud or error? Which assets are most likely to be stolen, misappropriated or wasted? In what areas are failure to comply with laws and regulations most likely to occur? In other words, you want to assess the areas where there is the greatest risk that your organization will not be successful. These are essential questions to ask as you look to protect your company from various types of fraud.
Control Activities. Once risk has been assessed, institute policies and procedures that mitigate those risks. A system of internal controls must be designed specifically to address the greatest areas of risk, whether the risk is the occurrence of fraud or error. Control activities that mitigate risk include segregation of duties, safeguarding of assets and policies related to information processing.
Unfortunately, leaders and management often accomplish the first three steps and then fail to follow through on the two elements listed below. Once the control environment has been established, risk has been assessed and control activities have been designed and implemented, there must be follow up in the form of monitoring and information and communications.
Monitoring. Monitoring of the internal control system may include internal audits, testing of procedures, follow up on errors and reaction to perceived deficiencies. If it is clear that there are shortcomings in the system, the system will need to be altered. Both design and implementation are critical. It is not enough to assess risk and design a system of controls to mitigate those risks – the system must also be properly implemented. A system that is well designed but improperly implemented is probably as ineffective as a fully implemented system that was not properly designed.
Communication. Finally, there must be clear communication of information. Provide all levels of employees with the information that they need to properly carry out the activities of the organization and adhere to the developed controls.
Organizations that are victimized by fraud often find that a faulty system of internal controls is to blame. After establishing an appropriate control environment, if you properly assess risk, design and implement a system of controls to mitigate those risks, monitor effectiveness and clearly communicate with your employees, you may not be able to fully remove the risk of fraud, but you can significantly decrease your risk of fraud and help protect your company’s assets.