Strong internal controls can protect a company from fraud losses and reduce its exposure to liability. Since executives frequently lack the time and expertise to evaluate their controls, they may be wise to consider seeking external advice from a financial consultant.
Today’s business managers have more reasons than ever before to tighten internal controls. The Sarbanes-Oxley Act makes managers of larger companies personally liable when weak internal controls lead to fraud.
Section 404 of the act, effective during fiscal years ending on or after Nov. 15, 2004, gives management increased personal responsibility for evaluating, testing and reporting on the effectiveness of internal controls.
But a surprising number of companies operate with an informal, disorganized administrative style, focusing on sales growth, day-to-day operational efficiency and cost containment. As a consequence, establishing effective internal controls stays on the back burner.
Neglecting internal controls, however, is a recipe for financial ruin through asset misappropriation and fraudulent financial reporting schemes. Also, operating with inadequate controls reduces effectiveness throughout the organization.
Strong controls can protect a company from fraud losses and reduce its exposure to liability. Since executives frequently lack the time and expertise to evaluate their controls, attorneys often advise clients to seek external advice on internal controls.
Look at external influences
Financial consultants assessing a company’s controls begin by considering characteristics distinctive to the industry or to the region of operation that might encourage fraud. For example, because bribes are commonplace in commercial activities in some foreign countries, manufacturers that deal with overseas suppliers may face greater risk for this kind of fraud.
Also, complexities of accounting for foreign currency transactions present fraud risks. For example, exchange rate volatility presents a fraud risk in financial statements. The problem comes in statements prepared after a sale but before payment.
When exchange rates shift, the company can experience unrealized gains or losses that must be reported on the statement. Because exchange rates change so frequently, companies can hide poor financial performance by manipulating figures.
After evaluating external influences, financial experts review the company’s formal documents, including its code of conduct, personnel policies, job descriptions and audit committee charters. They interview employees to assess attitudes toward fraud and awareness of fraud dangers. Observing workers in day-to-day activities offers additional insight into their behavior.
Experts assess how well controls have been implemented and whether they need to be updated. For instance, outdated formal job descriptions mean very little, and operational rules are ineffective if management regularly overrides them.
A stronger system
When the evaluation is complete, the expert presents company management with a list of recommendations for improving internal controls, taking into account the company’s size and resources.
For example, advising a small family-owned business to fully separate all duties or to purchase expensive video surveillance equipment to record all activities would be unrealistic. Mandatory vacation policies and fraud awareness training classes might be more reasonable suggestions for a small company.
An expert might also make recommendations relating to the three components of strong internal control systems specified in The CPA’s Handbook of Fraud and Commercial Crime Prevention:
- Basic controls. Companies can limit employees’ physical access to company facilities to those assets needed to perform their day-to-day responsibilities. These restrictions might involve measures ranging from simple locks to sophisticated surveillance equipment.
Other basic controls are formal written job descriptions allowing for both separation and duplication of duties and policies providing for occasional job rotation.
An example of job separation is splitting purchasing and receiving duties between two different employees. Assigning two employees to concurrently prepare monthly bank reconciliations is an example of job duplication.
Finally, basic controls include frequent financial reconciliation and analysis — quarterly, monthly or even weekly. Some businesses distribute weekly “flash reports” to department supervisors that highlight key financial metrics. Others keep a watchful eye on purchases just below the dollar limit that requires supervisory approval.
- Supervision. Management approval and review of the work by subordinates should include occasional tests of mathematical calculations underlying employees’ work.
For instance, a supervisor might occasionally redo the math on an expense report to be sure the columns add up or the mileage calculations are correctly computed. A manual timesheet is another basic document that supervisors could review for accuracy.
Higher level documents, such as reports prepared in accounting and purchasing, are also good targets for random checking.
Supervision also includes training employees to follow company fraud policies and controls and use hot lines to report suspected fraud. Employees should know the warning signs of potential fraud, such as managers who frequently override fraud controls, coworkers who never take vacations and suppliers who express dissatisfaction.
- Audit. A strong internal control program requires regular monitoring. Frequent reporting in key financial areas, supported by appropriate automated processes and tools, helps the company respond quickly to challenges and change controls where necessary.
As part of this effort, audit teams should assess and update the internal and external control environments regularly to help the company stay abreast of effective fraud risk management tools.
Meeting your client’s needs
Evaluating and strengthening the internal control environment in a company is a complex task. It takes the financial expertise of advisors who understand how to evaluate the effectiveness of internal controls.