Although internal controls are designed to protect a company against fraudulent schemes by its employees, all too often those controls prove to be ineffective.
This happens most frequently when senior personnel in the company collude to cover up a fraudulent scheme in which they have been engaged.
Many of the recent major frauds that have been in the headlines were conducted by employees in senior management positions.
When fraud at that level is conducted by one individual, internal controls will eventually catch the perpetrator. But when senior management personnel act in collusion to steal from the organization they are supposed to be managing, fraud can go undetected for a long period – and result in severe losses.
Median losses caused by fraud committed by nonmanagement employees is $80,000; by managers $200,000; and by executives a whopping $723,000, according to the Association of Certified Fraud Examiners 2010 Report to the Nations. When managers and employees conspire, losses are even higher and the detection times much longer.
Senior personnel can often act out of sight of other employees, who might otherwise become suspicious about unusual conduct. Moreover, senior personnel are often the very persons responsible for ensuring that the internal control structure functions properly. As such, in some organizations, they may operate without meaningful oversight except by one another. When the corporate watchdogs act together to defraud the company, it is difficult for those on the inside to detect the fraud or to stop it.
For very small companies, it is difficult to construct an effective internal control structure because management consists of a very small group of people, or even a single person. If management is the problem, there is no one for an employee who discovers or suspects a fraud to go to other than the authorities. This decision may carry some risk. Having at least one director or investor who is not involved in management gives an employee who suspects fraud somewhere to go.
For any organization, a strong internal audit function may be the best guard against employee thefts. An internal auditor, or even an external auditor, who comes in periodically to review all company transactions, provides a mechanism by which fraud can be detected and reported.
For the audit function to be effective, procedures must be established so the auditor has access to documentation relating to all transactions. In addition, there must be procedures for safeguarding those documents from alteration or destruction.
Preservation of the documents in electronic read-only form is perhaps the most effective method, particularly with a system that keeps a record of when the document is created and when any attempts at modification were made.
Creating the internal audit function and assuring preservation of and access to key information is only part of the job. It is equally important to assure that the auditor has someone to report to, either within the organization or outside.
When there is a nonmanagement director on the board, or where an effective audit committee exists, the auditor must have the authority to report any suspected irregularities directly to that person or committee.
If there are no independent directors, the internal auditor should still have the authority to report to an outside investor or oversight committee if necessary.
While some companies will prefer to hire their own internal auditor, a CPA can be engaged to act as the “external” internal auditor. Independence rules will generally require that the CPA who performs the external audit not also be the organization’s financial statement auditor.
Every accountant who audits financial statements knows that detecting a collusive fraud is difficult at best. The creation of an internal or external audit function to oversee a company’s transactions and financial record keeping as they are occurring can be a vital step in assuring that the system of internal controls is not frustrated or rendered ineffective from within.