DEALING WITH WHITE COLLAR CRIME

INTERNAL CONTROL

Management will wish to have some confidence that the systems instituted by it are working properly. To this end it introduces controls known as internal controls-over the systems. The aim of the controls, in general, is to prevent or detect errors and fraud.

FRAUD PREVENTION

Many organisations currently have plans or would like to implement some specific changes to combat fraud. Steps most commonly planned include:

• training courses in fraud prevention and detection
• increased budget for internal audit
• the establishment of an audit committee
• staff rotation policy
• increased focus of senior management on the problem
• investigative review
• a review of and improvement of internal controls
• increased budget for security personnel

DISCOVERY OF FRAUD

The control or prevention of internal fraud is within the control of an organisation through internal control procedures and the role of an internal audit department. External fraud is more difficult to control/prevent as it is external to the company. However, good business procedures and regular review of these by means of internal audit can reduce the risks.

Overall, 41% of respondents to the KPMG Fraud Survey 1996 indicated that fraud was discovered through internal controls. This was the most common method of detection in most regions. In almost half the cases internal controls were cited as the most common method of detection. The following chart provides the top three detection methods by region:

• The element responsible in most regions for raising "red flags" was the internal control structure.
• Organisations are implementing a number of procedures to combat fraud. Frequently, cited planned improvements include further review of internal controls, training courses in fraud prevention, and increased funding of audit and security controls.

For a control to be designated a key control it must operate over information that is material and must have three properties:

• it must be well designed.
• it must provide reasonably persuasive evidence of its operation
• it must, where necessary, have the support of adequate general controls.

The quality of the design on a control can only be assessed by asking whether the control will achieve its purpose and whether it is possible to foresee that errors which it is intended to prevent might nevertheless slip through. It requires, among other things, the ability to detect an error and, if necessary, to correct it. Points to consider when looking at the design of a control are:

• Authority
  Is authority really worth anything? How many authorised signatories are there (if there are too many the person responsible for rejecting unauthorised items will not be able to distinguish authorised from unauthorised)? Is authority given to what should happen or to what has happened (the latter is more likely to be effective)?
• Responsibility
  Is responsibility for control really taken by the user? Does he have sufficient information to carry out his responsibility? Where functions have been split, or systems integrated, have lines of responsibility been clearly laid down?
• Appropriate Personnel
  Is authority or responsibility for the performance of a task in the hands of an appropriate person? Is he/she sufficiently senior to give authorisation or take responsibility? Is he/she competent to carry out the task? Is he/she divorced from other functions which would conflict with the task concerned?

There are two other elements which are included in the generally accepted view of what is an internal control:

• procedures which are outside an accounting system as such (e.g. keeping the door to a stock-room locked)
• arrangements that determine how something is done as opposed to whether it is done at all (e.g. use of well-trained staff)

It is possible, therefore, to include in the definition of internal control a very wide variety of things. Eight types of controls may be found: organisation; segregation of duties; physical (e.g. locking up the cash); authorisation and approval; arithmetical and accounting; personnel (e.g. training); supervision and management (e.g. budgetary control).

The result is that 'control' is a word which is so loosely used as to be devoid of real meaning. It is only proper controls which really do provide the desired effect that can assist us. In order for controls to be effective:

1. they must include a procedure that will detect the type of error against which protection is sought
2. they must include procedures to correct such errors as are found
3. both (a) and (b) must operate within a short enough time period to be of use.

• Reality of Control
  Does the procedure really provide the desired control? This is largely a question of understanding exactly what is being done. It particularly applied to reconciliations: it is common to find that neither of the figures being reconciled actually provides any control over the other, usually because they are not obtained from really independent sources. It also applies to anything called a control total.
• Timeliness
  To be effective a control must be applied at the right time - i.e. the right stage in the processing cycle. For example, updates to a master file of sales prices must be authorised after updating but before processing any sales invoices to be priced from the dated file.
• Reasonableness
  Is it reasonable to expect the control to work? For example, could the authorisation of a print-out of the wages of 1 000 employees mean very much? Can a senior executive be expected to devote more than a few minutes to a control procedure?

With this background we can consider:

• completeness, existence and accuracy controls
• authorisation controls
• processing controls
• internal controls over computerised processes
• safeguard controls

(Previous) (Next)