In last week’s article, we explored the specific type of fraud Scrutinize is designed to detect - occupational fraud. I left all of you on a bit of a cliffhanger, though.
I left you without the most important information when it comes to fraud - how to prevent and detect it. I’m sure your heads have been swimming with all the ways your company could be vulnerable. Mea culpa.
But the wait is over. This week we will be examining the control environment. It is perhaps the most effective weapon in the accounting department’s arsenal, and a pillar of any fraud mitigation strategy. Maybe you’ve heard those words before, but don’t have a great understanding of what they actually mean. Blame it on accountants for not being very creative when it comes to naming conventions.
A proper internal control environment is based on the internal control framework (COSO) co-developed by five accounting related professional organizations. Without getting into the weeds on that, just keep in mind that the internal control environment spans the entire company and is made up of the policies and procedures used to protect the company’s assets, produce accurate financial statements and prevent fraud.
For our purposes, we are inspecting seven components that can be effectively put in place and managed by the accounting department. Each of these components is designed with the intent to be either preventative or detective. This is not a comprehensive list, as there are many controls that apply to specific companies or industries, but these are the most common.
You may have heard the saying “an ounce of prevention is worth a pound of cure.” I couldn’t agree more. Fraud is always easier to prevent than detect. Here are some controls that are designed to be preventative measures:
Separation of duties - no one person should handle everything for a given workflow. Let’s take paying vendors as an example. In an ideal world, the person approving purchases should be different from the person recording invoices for those purchases in the system, and a third person should be approving those invoices for payment. If that sounds like a lot of people just to pay vendors, you’re not crazy. We’ll touch on that more later.
Access - software systems, information and physical areas should require different levels of permission to enter, review and/or manipulate based on the roles and responsibilities each person has in the company.
Approval hierarchies - approval for certain transactions, such as purchases or entering contracts, should be limited to a select group of people to ensure that an appropriate amount of people have all seen the transaction before it is approved. This prevents a single person from being able to perpetrate a fraudulent transaction without convincing other members of their team to assist them, which makes it harder to commit the fraud.
Standardized documents - invoices, purchase orders, expense reports and other company documents should follow the same format. This makes it easier to spot when something is amiss in one of the documents or if a specific document is missing altogether.
No matter how diligent we are, mistakes happen. Sometimes they are honest, and others are intentional. Either way, the following are steps that can be taken to detect errors or outright fraud:
Asset audits - assessing the actual balance of inventory or other assets against the amounts your balance sheet reflects. During the normal course of business, it is common for the wrong inventory accounts to get adjusted erroneously. This process can reconcile any discrepancies between your software systems and the physical goods on hand as well as root out any large variances related to shrinkage - a term used to describe inventory theft.
Trial balances - this is a report generated by your accounting software that adds up all the debits and credits for a specific period to make sure they balance. The best part of double entry accounting, and why it has been used for 2,000 years, is the sum of all debits and credits must be equal. If they aren’t equal in this report, it is easy to identify which accounts are off and drill in deeper to figure out why.
Regular reconciliations - this process ensures the records in your accounting system match the source of truth used to make them. For example, your bank statement is the “source of truth” for what happened in your bank account in any given period, and your accounting system needs to mirror that. Not reconciling differences on a regular basis exposes you to errors or fraudulent entries being made to mask what really happened. One of the fraudsters I discovered would frequently leave accounts unreconciled for months at a time until he figured out where to blend his fraudulent transaction into something legitimate. Because there were no separation of duties, he also performed the reconciliation and was able to hide his fraud for almost a year before being caught.
What does this all boil down to? Policies and procedures are just words. They’re only as effective as the people in charge of overseeing them, and the closeness with which they’re followed. In fact, not all types of controls are possible to implement in every situation. The “right” ones for your company are based on the organizational structure. Ultimately, decisions have to be made about the tradeoffs between operational efficiency and a perfect control environment.
So how does Scrutinize fit into all of this? As you can imagine, a lack of any kind of control is a possible attack vector for fraudsters. Scrutinize analyzes your data to make sure the controls you do have in place are effective, and the ones you don’t aren’t being exploited.
For answers to questions you have about this or related topics, schedule your free consultation today.