The 2004 Report to the Nation on Occupational Fraud and Abuse by the Association of Certified Fraud Examiners (ACFE) cites this chilling statistic: “Participants in this study, anti-fraud specialists with a median of 16 years of experience in the fraud examination field, estimate that the typical US organization loses 6 per cent of its annual revenue to fraud. Applied to the US Gross Domestic Product for 2003, this translates to approximately $660bn in total losses.” Show Despite the authoritative source of this estimate, its sheer magnitude might prompt sceptics to discount it as a self-serving alarm conveniently unsupported by case-by-case documentation. Now evidence is coming to light that suggests that the findings of the ACFE report are, if anything, underestimations. The driving force behind the exposure of fraud on such an epic scale is the Sarbanes-Oxley Act of 2002, a product of the firestorm of public outrage ignited by the Enron accounting debacle. One of the requirements of Sarbanes-Oxley (SOX) is that corporations must disclose material weaknesses or significant deficiencies in their internal controls, known in the vernacular of this legislation as a 404 attestation. Proving the sages at the ACFE to be uncannily prescient, nearly 600 companies made such internal control weakness disclosures last year, with more than half related to fraud1. In fact, almost 10 per cent of annual reports in the past year have received adverse SOX 404 audit opinions.2 While the fraud cases like those at Enron and WorldCom earn big headlines and fall under the rubric of inappropriate ‘expense recognition’; asset misappropriation due to fraudulent disbursements remains the core, tried-and-true tactic of the corporate fraudster. According to the ACFE, the top three techniques for fleecing an organization of its assets through fraudulent disbursements are all related to the accounts payable (AP) process: billing schemes, check tampering and expense reimbursement abuse. Prevention is the SolutionPerhaps the most daunting aspect of the battle against fraud, aside from the staggering scope of the task, is that after-the-fact remedies are frequently futile. The ACFE calculates that the median recovery from a loss due to fraud is only 20 per cent, and 40 per cent of those defrauded recover nothing. The clear implication is that prevention is the only effective course, yet prevention means intercepting or blocking an event or series of events that have proven capable of eluding established internal controls. It would be difficult to find a finance professional who didn’t believe that his or her company’s existing controls are an effective deterrent to fraud. Yet the ACFE report reveals that fraud is more likely to be exposed by accident (21.3 per cent of cases) than by internal controls (18.4 per cent), and tips remain a more prevalent source of detection (39.6 per cent) than internal audits (23.8 per cent). Clearly, if the open wound of corporate fraud is to be staunched, internal controls will need more than a band-aid to fight the problem. Most, if not all of the factors that contribute to fraud, and in particular AP-related fraud, can be neutralized with:
As an examination of the following true tale of light-fingered larceny reveals, a strong control environment would have made it almost impossible for such fraud to take place. A True Tale of FraudOur tale concerns a husband and wife team who colluded with an outside vendor to fleece their company of at least $2m over a seven-year period. As related by Robert Sells, senior associate at the recovery audit firm Connolly Consulting of Atlanta, the target of this sustained fraud was the well-respected newspaper, The Charlotte Observer, where poor internal controls contributed to the scandal it was, to its considerable embarrassment, obliged to report in its own pages. The mastermind of the scheme was Mr Johnson, a 22-year employee of the newspaper with an unblemished record. It was Mr Johnson’s good fortune to serve as a purchasing manager who also had authority to both receive goods and services and approve invoices for the same. The invoices would naturally flow through the AP department, where Mr Johnson’s wife happened to work. All the Johnsons needed to complete a seamless scam was a co-operative and unscrupulous vendor with whom to connive. Mr Johnson cultivated a friendship with a favorite supplier until they became close enough that he could propose his ploy: ‘for every two shipments you send me, invoice ‘The Charlotte Observer’ for three, and we’ll split the payment for the phantom shipment’. The breakdowns in internal controls that allowed this arrangement to prosper over such a long time are manifold. Consolidating so many responsibilities in the hands of even the most trusted of employees is the first bright-scarlet flag. A married couple with entangled duties connected with AP is another red flare. Significant budget variances, on the order of $50,000 of bogus charges per month per department, were overlooked as boom times created a lax atmosphere that tolerated such large discrepancies. Poor inventory controls allowed non-existent shipments to be processed and paid for. To top it all off, nobody involved was bonded and the company wasn’t insured against such a loss. While there is no question that better systems and procedures might have excised this cancerous scheme, simply bringing common sense to bear would have at least curtailed the loss. During the seven years that the Johnsons were siphoning off a substantial chunk of the newspaper’s revenue, their lifestyle took a dramatic turn for the better. They sold their old home, moved into a new lakefront mansion in an exclusive neighborhood, added a swanky boat, traveled like pashas and stockpiled fancy automobiles. Indeed, not only did Johnson flaunt his new-found wealth, he abandoned discretion entirely by incessantly putting himself into the picture in the very high profile world of NASCAR (the National Association for Stock Car Auto Racing). Every week, it seemed, he would be photographed bear-hugging the winner at the victory celebration, an awesome display of insider status in the region’s most revered sport. Meanwhile, his demeanor around the office was quite the opposite. Formerly out-going and hands-on, Johnson retreated into his office where he spent most of each day behind a closed door and drawn blinds. How could everyone have failed to notice? The answer is that of course people noticed, but they didn’t trust their intuition enough to call Johnson’s bluff. All Johnson had to do to deflect curiosity over the course of the better part of a decade was claim an aunt died and left him an inheritance. Naturally, once the fraud was unmasked, the aunt was discovered to be as imaginary as the stream of phantom shipments Johnson authorized and his wife paid for. Clearly, a woeful failure to segregate duties was at the heart of this calamity. Had Johnson not had the power to approve his own actions, this fraud might have been prevented altogether. Improved transparency and more disciplined approval framework would also, at the very least, make fraud such as Johnson’s more difficult to launch and impossible to sustain. While Mr and Mrs Johnson eventually received their comeuppance – curiously, The Charlotte Observer did not take immediate legal action upon their exposure – the newspaper nonetheless took a substantial hit, both in terms of financial loss and tarnished reputation. Nor were the perpetrators the only people to suffer: managers who presided over the slipshod operations were fired; steering lives and careers off track. The real tragedy of this tale is that if today’s business automation software and associated best business practices had been in place at the newspaper, this entire fraud case, and all the damage that ensued, would never have occurred Importance of Strong Internal ControlsAll fraud requires opportunity to flourish, the kind of opportunity provided by paper messiness, murky audit trails and sloppy business processes. The best deterrent for fraud is a strong internal controls environment where the risk of detection is high. As the 18th century English philosopher, Jeremy Bentham, propounded in his classic criminal theory, the greater the risk of detection, the less likely a person is to violate the law. What makes potential fraudsters pause – from the CEO to the average rank-and-file employee – is the fear of exposure. Business automation software institutes best practice workflows that act as a super deterrent. Automating internal controls increases the risk of a wrongdoer getting caught and thus locking out fraud while also significantly increasing operational efficiencies. At the end of the day, fighting fraud and instituting best practice processes that are cost efficient don’t have to be mutually exclusive goals but can instead support each other harmoniously and effectively. A cornerstone fraud-busting internal control is properly maintaining transaction-level backup by associating it online with an ERP record, providing unparalleled visibility into financial data for approvals, reviews and audits. For example, by leveraging a document imaging system that is tightly integrated with a company’s ERP financial system, invoices can be sent directly to the AP department instead of the field. All paper invoice documentation can be scanned and then indexed into the ERP system using the image instead of the actual paper document. This permanent association of transaction-level back up to the ERP record has a dramatic impact on preventing and detecting fraud. Central receipt of all invoices coupled with immediate front-end imaging enables the earliest possible recording of liabilities and gives CFOs the highest, most accurate visibility into AP accruals. In addition, costs are reduced because it enables companies to decrease approval and review cycle times and eliminate rush invoices, which allows them to take early payment discounts and avoid late payment penalties. This visibility also supports a strong approval environment where authorizations can be made with a clear line of sight not only into all transaction-level backup but also the complete audit history that is tracked by the workflow software. As countless case histories from the annals of fraud make clear, strict segregation of duties is essential to maintaining proper internal controls. While the concept is simple, systematic implementation and enforcement of segregated duties is difficult and rarely achieved. The logical place to start is with the ERP system. Most systems have tried to address segregated duties through a security framework, which governs the functionality accorded to each authorized user. This classification approach is expensive to design, deploy, support and maintain. As employees are promoted, reassigned or terminated, organizations must continually update their ERP systems with everyone’s correct authorization level, which rarely occurs in practice. With business process automation and document imaging technology, companies can monitor the invoice as it transitions from one step to the next. The system tracks all of the changes and maintains a comprehensive audit trail. In this way, at each point of the process, companies have a record of what was performed and by whom for all prior steps, enabling them to automatically catch potential conflicts at the transaction level. Since segregation can be enforced at the transaction level instead of the job role level, employees can still be allowed to perform multiple functions as long as they don’t perform conflicting duties on the same transaction. Through the use of real-time monitoring of business transactions that identify potential policy violations, payment errors, system misuse and fraud while routing them for executive review and disposition, companies can minimize risk while boosting productivity. In the end, a strong business process automation solution defines and enforces clear policies and procedures, automating financial processes with all of the business rules defined in best practice workflows. This fortifies the effectiveness and efficiency of a strong internal and external audit function, helping to avoid financial misstatements. Auditors can be given self-service access to complete audit trails and complete transaction backup for every financial transaction so that controls can be quickly tested and audit costs are thus minimized. Standardized best practice processes across an entire organization drive superior business performance, ROI and sustainable competitive advantage. What happens if internal controls are not monitored?Don't get too comfortable just because you have internal controls in place. You should monitor them for deficiencies that may arise as your organization changes.
What will happen to a company if it has a weak internal control?Internal controls are applied to the company's financial and accounting procedures, with the intention of preventing and identifying fraud and errors. If a company has weak internal controls, it is opening itself up for big problems down the road, as it cannot accurately account for the actions of its employees.
What is lack of internal controls?A business that lacks internal controls runs inefficiently, unreliably, and in. violation of applicable rules and regulations. This frequently leads to an inability. to track performance against budgets and forecasts.
|
