Effective Internal Fraud Controls
The Frontline of Fraud Risk Management
Internal fraud occurs as the result of a series of weaknesses within internal control systems, which are at the top of the fraud risk management pyramid. This article defines the three essential types of internal controls, their five interrelated components, and how they can be instituted for maximum protection.
Internal controls are perhaps the most essential element in managing risk in an organization. The absence or lapse of internal controls in an organization is a tempting open door or opportunity for fraud. When linked with the lack of integrity or with the ability to rationalize criminal behavior, this absence or lapse completes the fraud pyramid and allows an individual to engage in fraudulent activities, without admitting to being a criminal.Â
Internal controls were defined in the COSO Report as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations,
- Reliability of financial reporting, and
- Compliance with applicable laws and regulations.â€1
There are five interrelated components of internal controls:
- Control environment (e.g., tone at the top)
- Risk assessment
- Control activities or control procedures
- Information and communication systems support
- Monitoring.2
PCAOB and the SEC define internal control over financial reporting as ‘‘a process designed by, or under the supervision of, the company’s principal executive and principal financial officers, or person performing similar functions, and effected by the company’s board of directors, management, and other personnel, to provide reasonable assurances regarding the reliability of financial reporting and the preparation of financial statements for external purpose in accordance with generally accepted accounting principles and includes those policies and procedures that:
- Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company;
- Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and
- Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of the company’s assets that could have a material effect on the financial statements.â€3
There are generally three major types of controls: preventive, detective, and corrective controls. Preventive controls are first in line to prevent errors, omissions, or misappropriation of assets from occurring. This type of control is more efficient (e.g., passwords, safes, fences, locks).
Detective controls find errors or fraudulent incidents that escape the preventive controls. These controls are important when preventive controls are weak. For example, there are situations in which transactions are obtained from third parties, such as sales reports from franchisees or baggage claims reported by passengers at airports.
Corrective controls are the actions taken to minimize further losses. They are there to correct errors, omissions, and frauds after detection. But internal controls can be broken, often by top executives. Fraud caused by the lack of internal controls can even effect the valuation of a company prepared by a CVA.
1Â Committee of Sponsoring Organization of the Treadway Commission, Internal Control: Integrated Framework, (New York: COSO, 1999), p.9.
2 SAS No. 94, The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit (New York: AICPA).
3Â PCAOB Release 2004-001, par. 7.
D. Larry Crumbley is a KPMG-endowed professor at Louisiana State University. He is the co-author of the Forensic and Investigative Accounting textbook, published by Commerce Clearing House, well as 13 educational novels, six of which were published by Carolina Academic Press. Larry can be reached at dcrumbl@lsu.edu.