Don't Let Fraud Destroy Your Business: Use Internal Safeguards to Stymie Crime By Whitton, Jeff* I have heard it many times during my thirty years working as a CPA in the area of fraud and internal accounting controls:
Well, maybe so. But for trustees and others working with other people’s money in a fiduciary capacity, ignoring the risks related to internal fraud is a high stakes wager. I’ve learned a few hard lessons over the years. First, good people do steal, from single mothers trying to pay for their kid’s education to long-time employees who begin to believe that they are worth more than they are being paid. As any police detective will tell you, theft is more about opportunity and motive than about being a good or bad person. If the opportunity to steal exists and a “good” person is confronted with circumstances that present them with a strong motive, a long-trusted employee can become a criminal in an instant. Second, employees know when the boss is not paying attention. Our everyday actions make evident the tone and priorities established by top management. You may be heading for trouble if upper management ignores internal controls, leaving implementation to the accountants, with little to no oversight. There are many clever ways to take cash out the door without your knowing about it. Last, a few written policies are worth a thousand protestations when it comes to substantiating that you have been a good steward for your client’s assets and have fulfilled your fiduciary responsibilities. Your best defense against allegations of negligence or lack of due care arising from a fraud-related theft is a formal written code of conduct, well-documented accounting and internal control policies and procedures, and documented evidence of compliance with those procedures. The responsibility for designing and implementing a good system of internal control clearly rests on the owners, directors and officers of companies. The risks of ignoring these responsibilities include large monetary losses and adverse judgments, denial of claims by insurance companies, loss of reputation and business, and even potential personal civil liability. All of this can probably be avoided with a little effort and planning. An adequate internal control system consists of
three basic elements :(1) creating a culture of honesty and high ethics,
(2) evaluating fraud risk and designing and implementing controls; and (3)
compliance testing, reporting and oversight. A good first step in this direction is establishing a formal code of conduct that clearly sets out the company’s expectations for employee behavior and the consequences for violations in conduct. The written code should be sent to every employee annually, requiring written confirmation by the employee that they understand and accept their responsibilities under the company’s code of conduct. Evaluating Fraud Risk and
Designing and Implementing Controls This is the most difficult part of the process. You have to fully understand your accounting system and identify the areas where significant risk of fraud exists. Your CPA or similar advisor may be required to help you to identify all of the possible risk areas and to design policies and procedures that will mitigate these risks. There exist a few simple procedures that can be implemented in almost every company that will go a long way in mitigating the risk of a fraud related theft.
These simple procedures can be implemented with very little effort and will significantly mitigate your fraud risk related to cash receipts and disbursements. After all of the
controls have been adequately designed, it is important that they be well
documented and that your accounting staff is adequately trained in their
proper implementation. The accounting staff should be required to document
their compliance with the policies and procedures as they are performed,
as part of the process. Documentation is critical to be able to test
compliance with the controls and to provide the evidence of the
fulfillment of your fiduciary responsibilities in this area. In many larger organizations this function is performed by the internal audit department and the audit committee of the board of directors. In smaller companies it can be performed by the owner or by a committee of employees outside of accounting and/or by the company’s CPA. The objective is to perform a periodic review and compliance testing of the control procedures to ensure that they have been implemented and are continuing to work as designed. Again this process should be adequately documented to demonstrate your effort to meet your fiduciary responsibilities. Like it or not, as a fiduciary you have a legal responsibility to maintain an adequate system of internal accounting control to protect the assets under your care. The risks of ignoring this responsibility can be significant, including the loss of your reputation and business. An adequate system of internal control requires (1) creating a culture of honest and high ethics, (2) evaluating fraud risk and designing and implement controls, and (3) periodic compliance testing, reporting and a formal oversight process. These three factors are inter-dependent — all must be present to create an adequate system of internal controls for your company. Accounting fraud and
internal controls are not the most exciting topic, but when you are in the
business of managing and protecting other people’s money, it is a topic
that should be close to your heart. When it comes to fraud, trust, which
is the essence of your business, takes years to build, yet seconds to
shatter. |