Beyond business closures, widespread unemployment and entire industries staggered by depressed spending, savvy boards and owners are carefully tracking an unheralded but insidious threat to their reputation and financial standing. Like the film cliché of the call that’s coming from inside the house, fraud is a haunting reminder that those closest to us can do the most damage. But there is a hero to this horror story – internal controls.
Ideally, internal controls function like your business’ immune system, allowing normal internal functions to progress unimpeded, but identifying, analyzing and stopping anything that might pose harm before it does irreversible damage. With the right controls in place and functioning, even the most sophisticated fraudster won’t be able to pull off a heist and enrich themselves at your organization’s expense.
The Purpose of Internal Controls
From the individual perspective, your relationship to internal controls will be determined by your role, but at the macro level, the purpose of internal controls is to strengthen the foundation of your organization. A well-conceived internal controls scheme will prevent the misuse and misdirection of assets that belong to the corporation and its stakeholders.
The Importance of Post Pandemic Internal Controls
Broad government-sponsored relief measures have opened avenues for funds earmarked to support the global economic recovery. Businesses and organizations are desperate for these funds, having effectively experienced an economic drought in the wake of the pandemic. Many are using cash from relief programs to keep their workforces employed or to pivot their business practices to survive in an unfamiliar market. But the availability of “easy money” is also attracting the attention of ne’er-do-wells hoping to redirect the deluge of government cash from the root system of the global economy into their own personal reservoirs.
It is important that organizations that receive relief funds, particularly those that are not used to sudden cash windfalls, develop controls that will ensure that relief money is tracked and used appropriately. Beyond protecting against insiders, entities also need to understand that the recipients of relief are, or will be, made public. That means your controls should account for external bad actors trying to take advantage of entities that find themselves with large amounts of cash on-hand, but relatively limited means of protecting assets. For example, cybersecurity is one sometimes neglected area that many businesses and organizations should devote significant resources to bolstering in the short term, particularly if they do not currently have that protective infrastructure in place.
How Internal Controls Protect Against Internal Threats
Regardless of the motivating factor – whether it be personal financial struggles or a desire to inflate results – those who stand to do the most damage to an organization are the very same people trusted with its stewardship. Consider one example ripped from recent headlines: Wirecard, a German payment processing company, uncovered massive fraud in 2020. Today, their CEO has been arrested and their COO has disappeared, presumed to have fled the country.
The “Fraud Triangle,” a model used to explain the factors contributing to organizational fraud, consists of three components: motivation, opportunity and rationalization. Motivation may be personal financial pressure or the need to boost results to meet an organizational goal. Opportunity is usually determined by a lack of oversight or access to resources or financial assets. And, because most people don’t think of themselves as crooked, rationalization is the bad actor’s ability to excuse fraud. It’s important to understand the concept of the Fraud Triangle to assess where your internal controls may fall short, particularly with respect to creating opportunity by not providing adequate and proper oversight of key functions.
As the modern work environment has transitioned to accommodate a largely remote workforce, organizations have an opportunity to re-think their internal controls to provide a more foolproof process. A few key recommendations include:
- New workflow systems and software that replace handwritten approval documentation and records the formal approval of transactions, with automated or email approvals archived for future reference;
- If not already instituted, a bank lockbox that can be utilized for cash receipts;
- Segregating duties to avoid the authorization, custody, recording and reconciliation of transactions by one party.
You may also consider technological solutions that will help add oversight, reinforce existing protective processes or introduce new ones. It may be beneficial to:
- Set limits relating to the access and use of credit cards that will ensure purchases are properly authorized. You can also control exposure and risk by setting a low maximum on your line of credit.
- Designate a process or technology for the oversight and approval of expense reimbursements, and use technologies to automate this process.
- Design controls over human resources and payroll processes using technologies that automate authorizations and approvals and establishes checks and balances.
In addition, cyber threats originate from malicious external actors trying to infiltrate systems in order to access systems that they can manipulate, disrupt or hold for ransom, or steal data relating to your organization, donors or clients. Stolen data can be sold to other criminal enterprises, or used to further breach your secure environments. As external actors, cybercriminals are capable of devastating attacks, but protecting against them can be fairly straightforward. Having the right infrastructure in place can enable your IT team to monitor and control access points, check credentials and issue reports on suspicious activities. A thorough, sophisticated internal controls program will help ensure that you’re protected not only from the outside, but also from those who may abuse their role to misallocate funds or misrepresent results.
In order to prevent fraud of this nature from affecting your business or nonprofit, board members need to have complete confidence that internal controls systems are working effectively. A board or audit committee should be able to get answers to their questions about controls or assets from an external auditor or CFO.
How to Tell if Your Internal Controls are Working
Test, test, test. Ensure your IT department or independent consultant is evaluating and testing your internal controls on a periodic basis. Cybersecurity companies regularly run mock attacks to determine the efficacy of existing measures, and investigations should similarly be undertaken to ensure not only that internal controls are operating as intended, but any leads or potential red flags can be thoroughly reviewed. If, for any reason, a board or independent investigatory interest is prevented from accessing important information, you may have uncovered a flaw in your system – or a major cause for concern.
Also consider what you are testing, and refresh the test as necessary, when controls change or the means of the tests become familiar. Make sure that the tests you run are designed to uncover how:
- Expenditures are authorized in practice
- Funds are received and deposited
- Donors are acknowledged and donor information is protected
- Electronic files are secured from corruption or theft
- Access to data and systems are limited to only those who need it
- Access to financial assets is properly secured and limited
Should transitioning to a remote work environment, or similar organizational change, require you to develop a workaround outside of the defined processes and controls:
- Clearly define and document the adjusted process and controls
- Identify changes to roles and responsibilities and maintain segregation of duties
- Ensure proper management approvals are received
- Communicate the modified process and controls to all relevant parties
- Maintain accurate documentation to evidence the controls performance, even though it may be different than evidence maintained in the past
As a reminder, performing a risk assessment is an iterative process that should be revisited periodically, and more often as the circumstances warrant.
Which Industries Need Stronger Internal Controls?
In truth, every industry in any economic environment is ripe for fraud. That’s because, generally, organizations don’t take enough care with cash. It’s an open question as to why that is – maybe there is a misconception that cash is simple. But cash is not only the most common asset, it is also the easiest to transfer and most difficult to track down. Your organization may have airtight controls concerning revenue recognition, inventory and fixed assets, but cash can be misappropriated on an inbound or outbound basis, and is too often overlooked in the design of controls. The unfortunate truth is that few entities take the care they should with their most fundamental asset. Because of the vulnerability of cash as an asset, nonprofits, which often receive donations in cash and issue grants in cash, should take particular care with their controls.
Organizations that are understaffed, have poor controls surrounding cash, aren’t adequately segregating duties, or don’t use a fresh set of eyes to look at spending specifically from a cash perspective may be the most vulnerable to bad actors. That’s because fraud is easier to perpetrate and conceal when organizations either don’t have or aren’t allocating the resources and manpower necessary to prevent cash from being misappropriated.
If you have any questions or concerns regarding your organization’s exposure to fraud, or the adequacy of your internal controls programs, contact a Friedman advisor today.