Call Us: (408)727-6454

Subscribe to Our Newsletter


Contact Us

Internal Control, Fraud Prevention And Detection

This may sound like a cliché to you, “An ounce of prevention is worth a pound of cure”.  Borrowed from a major health care provider “practice protection with detection”, in this context, we substitute our physical health with our financial wellbeing.  The best way to prevent theft and fraud is sound internal control.  While safeguarding assets is one of the outcomes of effective internal control, it is certainly not the only motivation a business, regardless of size, should design, implement and monitor a system of internal controls, other reasons are:

  1. Reliability of financial reporting,
  2. Effectiveness and efficiency of operations, and
  3. Compliance with applicable laws and regulations.

In this article however, we will be focusing on prevention and detection of theft and fraudulent activities by employees.  As a business owner, you need to consider the following 3 factors during this exercise:

  1. Cost - affecting the degree of assurance offered by internal control is the inherent cost versus benefit consideration relevant to all risks and proposed controls.  Stated simply, the cost of any internal control procedures should never exceed the expected benefit.
  2. People - first and foremost, internal control is based on people, and, because of that, honest mistakes in judgment will occur and should be anticipated.  Therefore, because of this human element, the effectiveness of an entity's internal controls will be directly impacted by the quality of its people.  Consequently, all efforts should be made by the small business owner to attract and retain the best people possible for positions in the company.
  3. Transaction Types - transaction types most susceptible to fraud are:
  • Petty Cash
  • Assets by alternative uses
  • Cash Receipts
  • Payments to Unauthorized vendors
  • Travel Expenses
  • Drop-ship Purchases
  • Inventory and Equipment
  • Software licenses
  • Computer hardware
  • Vendor Rebates and credits
  • Payroll

The fundamental element of internal control is the segregation of certain key duties.  The basic idea underlying SOD (Segregation of Duty) is that no em­ployee or group of employees should be in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties.  In general, the principal incompatible duties to be segre­gated are:

  1. Custody of assets
  2. Authorization or approval of related trans­actions affecting those assets
  3. Recording or reporting of related transac­tions

Traditional systems of internal control rely on assigning certain responsibilities to different individuals or segregating incompatible functions.  The general premise of SOD is to prevent one person from having both access to assets and responsibility for maintaining the accountability of those assets. 

If internal control is to be effective, there needs to be an adequate division of responsibilities among those who perform accounting procedures or control activities and those who handle assets. In general, the flow of transaction processing and related activities should be designed so that the work of one individual is either independent of, or serves to check on, the work of another.  Such arrangements reduce the risk of undetected error and limit opportunities to misappropriate assets or conceal intentional misstatements in the financial statements.  SOD serves as a deterrent to fraud and concealment of error because of the need to recruit another individual's cooperation to conceal it.  In smaller organizations where the number of employees is limited, segregation of duties may not be feasible.  In that case manager/owner needs to have a more active role in implementing and monitoring internal control activities.

As a manager/owner, following is a list of questions you need to ask yourself:

  1. Who has access to blank checks?  Are blank checks locked?
  2. Does any other person, in addition to you, have signature authority over the bank accounts?
  3. Who has knowledge of credit card numbers, expiration dates, and security codes?
  4. Do you do online banking such as transfers between accounts, bill payments, and credit card payments?  If yes, who has access to user names, passwords, and PINs?
  5. Are verbal/written purchases, online purchases, and credit card purchases approved/authorized by you before orders are placed?  Do you have a monitoring system?
  6. When signing a check, do you pay attention to check date, payee, and the amount of the check, and verify them against the bill/PO?
  7. Do you review bank reconciliation report and bank statements monthly?
  8. Do you install password to the accounting system and restrict employee access to sensitive financial data?
  9. Does the same employee approve customers, issue invoices/credits, process customer payments, and make bank deposits?
  10. Do you review accounts receivable aged report frequently?
  11. Do you conduct inventory count periodically; check on the movement of inventory to ensure there is no internal theft?
  12. Does the same employee approve/select vendors, submit/approve PO, receive shipment and process payments?
  13. Do you review accounts payable aged report frequently?
  14.  Do you have the same individual approve, process, and book payroll in the accounting system?
  15.  Are payroll reports reviewed periodically or randomly for unusual number of hours worked by hourly employees and unreasonable amount of gross pay for salaried employees?
  16. Do you review employees' travel/reimbursement report closely, and question increases?
  17. Do you have forced vacation policy for all employees?
  18. Do you rotate employee responsibilities after a period of time?
  19. Do you conduct employee screening (criminal, credit) for new hires?  Most small businesses do not spend money on this part, and may attract undesirable applicants.
  20. Do you find yourself trusting one individual too much without any monitoring/testing system?

Final words to small business owners:

Mark Twain said “trust everybody, but make sure you cut the cards”, which sums up the mentality of control.  As a small business owner, you have limited resources, following are several ways you can do under the circumstances:

  1. Setting good example to employees, stressing the importance of ethics, including codes of conducts in writing.
  2. Treat employees well and have reasonable expectation.  Give employees a “safe” channel to report suspected fraud by other employees to the management.
  3. As a business owner, you need to actively understand and verify the financial information reported to you.
  4. Review the suggested questions above and understand the adverse impact to your business if there is no control placed.  Develop a plan to correct these problems.
  5. You can engage a CPA firm conducting limited audit in key areas to deter and prevent theft from occurring, and expose them if you are suspecting something fishy is going on.

Following are some good websites for your references: 

National Fraud Information Center

www.fraud.org

Internet Fraud Complaint Center

www.ic3.gov/default.aspx

  

Statement of auditing standards No. 99 (link to the PDF attached)

 

We shall be happy to assist you in the development of control plan and perform either a limited audit or a complete audit for your business.  Please feel free to contact our office regarding this subject.

What we do for you...

  • Implement segregation of duties so that duties are divided, or segregated, among different people to reduce risk of error or inappropriate actions. No one person has control over all aspects of any financial transaction.
     
  • Make sure transactions are authorized by a person delegated approval authority when the transactions are consistent with policy and funds are available.
     
  • Ensure records are routinely reviewed and reconciled, by someone other than the preparer or transactor, to determine that transactions have been properly processed.
     
  • Make certain that equipment, inventories, cash and other property are secured physically, counted periodically, and compared with item descriptions shown on control records.
     
  • Provide employees with appropriate training and guidance to ensure they have the knowledge necessary to carry out their job duties, are provided with an appropriate level of direction and supervision, and are aware of the proper channels for reporting suspected improprieties.
     
  • Document policies and procedures and making them accessible to employees. The documented policies and procedures provide day-to-day guidance to your staff and continuation of duties in the event of prolonged employee absences or turnover.
     
  • Review operations to ascertain whether results are consistent with established objectives and goals and whether the operations are being carried out as planned.

If you'd like more information about our internal control services please complete this form.

Name
Phone
Email
Best Time To Call
Comments

Login   Search   Site Map   Privacy Policy   Disclaimer