We have been discussing the need for proper operational and capital budgeting to ensure that a company meets its goals a lot. However, these plans can go seriously awry if the company does not also have a solid set of basic controls to keep its funds and assets from going astray. In this post we review the need for control systems, specify the types of fraudulent activities that make the use of controls particularly important, and itemize many controls that can be installed in a small business.
As controls frequently have a cost associated with them, it is also possible to take them out of an accounting system in order to save money; we are going discuss the process of spotting these controls and evaluating their usefulness prior to removing them.
The Need for Control Systems
The most common situation in which a control point is needed is when an innocent error is made in the processing of a transaction. For example: an accounts payable clerk neglects to compare the price on a supplier’s invoice to the price listed on the authorizing purchase order, which results in the company paying more than it should. Similarly, the warehouse staff decides to accept a supplier shipment, despite a lack of approving purchasing documentation, resulting in the company being obligated to pay for something that it does not need. These types of actions may occur based on poor employee training, inattention, or the combination of a special set of circumstances that were unforeseen when the accounting processes were constructed originally. There can be an extraordinary number of reasons why a transactional error arises, which can result in errors that are not caught, and which in turn lead to the loss of corporate assets.
Controls act as review points at those places in a process where transactional errors have a habit of arising. A process flow expert who reviews a flowchart that describes a process will recognize the potential for some errors immediately, simply based on his or her knowledge of where errors in similar processes have a habit of arising.
Also, highly specific circumstances within a company may generate errors in unlikely places. For example: a manufacturing company that employs mostly foreign workers who do not speak English will experience extra errors in any processes where these people are required to fill out paperwork, simply due to a reduced level of comprehension of what they are writing. Consequently, the typical process can be laced with areas in which a company has the potential for loss of assets.
Many potential areas of asset loss will involve such minor or infrequent errors that accountants can safely ignore them and avoid constructing any offsetting controls. Others have the potential for very high risk of loss and so are shored up with not only one control point, but a whole series of multilayered cross-checks that are designed to keep all but the most unusual problems from arising or being spotted at once.
The need for controls also is driven by the impact of their cost and interference in the smooth functioning of a process. If a control requires the hiring of an extra person, then a careful analysis of the resulting risk mitigation is likely to occur. Similarly, if a highly efficient process is about to have a large and labor-intensive control point plunked down in the middle of it, quite likely an alternative approach should be found that provides a similar level of control but from outside the process.
The controls installed can be of the preventive variety, which are designed to spot problems as they are occurring (i.e., online pricing verification for the customer order data entry staff), or of the detective variety, which spot problems after they occur, so that the accounting staff can research the associated problems and fix them after the fact (i.e., a bank reconciliation). The former type of control is the best, since it prevents errors from ever being completed; the second type of control results in much more labor by the accounting staff to research each error and correct it. Consequently, the type of control point installed should be evaluated based on its cost of subsequent error correction.
All of these factors—perceived risk, cost, and efficiency—will have an impact on a company’s need for control systems and the preventive or detective type of each control that is contemplated.
Types of Fraud
The vast majority of transactional problems that controls guard against are innocent errors caused by employee errors. These tend to be easy to spot and correct, when the proper control points are in place. However, the most feared potential loss of assets is not through these mistakes but through deliberate fraud on the part of employees, since these transactions are deliberately masked, making it much more difficult to spot them.
Discussion of the eight most common types of frauds that are perpetrated follows:
Cash And Investment Theft
The theft of cash is the most publicized type of fraud, and yet the amount stolen is usually quite small, when compared to the byzantine layers of controls typically installed to prevent such an occurrence. The real problem in this area is the theft of investments, when someone sidesteps existing controls to clean out a company’s entire investment account. Accordingly, the accountant should spend the most time designing controls over the movement of invested funds.
Expense Account Abuse
Employees can use fake expense receipts, apply for reimbursement of unapproved items, or apply multiple times for reimbursement through their expense reports. Many of these items are so small that they are barely worth the cost of detecting, while others, such as the duplicate billing to the company of airline tickets, can add up to very large amounts. Controls in this area tend to be costly and time-consuming.
Financial Reporting Misrepresentation
Although no assets appear to be stolen, the deliberate falsification of financial information is still fraud, because it impacts a company’s stock price by misleading investors about financial results. Controls in this area should involve internal audits to ensure that processes are set up correctly, as well as full audits (not reviews or compilations) by external auditors.
Fixed Assets Theft
Although the term fixed assets implies that every asset is big enough to be immovable, many items—particularly computers—can be easily stolen and then resold by employees. In many instances, there is simply no way to prevent the loss of assets without the use of security guards and surveillance equipment. Given that many organizations do not want to go that far, the most common control is the purchase of insurance with a minimal deductible, so that losses can be readily reimbursed.
Inventory And Supplies Theft
The easiest theft for an employee is to remove inventory or supplies from a storage shelf and walk away with them. Inventory controls can be enhanced through the use of fencing and limited access to the warehouse, but employees still can hand inventory out through the shipping and receiving gates. The level of controls installed in this area will depend on the existing level of pilferage and the value of inventory and supplies.
Non-payment Of Advances
The employees who need advances, either on their pay or for travel, are typically those who have few financial resources. Consequently, they may not pay back advances unless specifically requested to do so. This requires detailed tracking of all outstanding advances.
Purchases For Personal Use
Employees with access to company credit cards can make purchases of items that are diverted to their homes. Controls are needed that require detailed records of all credit card purchases, rather than relying on a cursory scan and approval of an incoming credit card statement.
Members of the purchasing staff can arrange with suppliers to source purchases through them in exchange for kickback payments directly to the purchasing staff. This usually results in a company paying more than the market rate for those items. This is a difficult type of fraud to detect, since it requires an ongoing review of prices paid as compared to a survey of market rates. Fraud problems are heightened in some organizations, because the environment is such that fraud is easier to commit. For example, a rigorous emphasis on increasing profits by top management may lead to false financial reporting in order to “make the numbers.”
Problems also can arise if the management team: is unwilling to pay for controls or for a sufficient number of supervisory personnel; is dominated by one or two people who can override existing controls; or has high turnover, so that new managers have a poor grasp of existing controls.
Fraud is also common when the organizational structure is very complex or the company is growing quite rapidly; both situations tend to result in fewer controls, which create opportunities to remove assets. Consequently, fraud is much more likely if there are unrealistic growth objectives, if there are problems within the management ranks, or if controls are not keeping pace with changes in the organizational structure.
Further worth reading: Apply And Perform Key of Controls – Prevent and Detect Fraud