Download (direct link):
Internal control is comprised of the control environment, the accounting system, and control procedures. Common control fraud symptoms include a poor control environment, lack of segregation of duties, lack of physical safeguards, lack of independent checks, lack of proper authorizations, lack of proper documents and records, the overriding of existing controls, and an inadequate accounting system.
Many studies have shown that the most common element of employee fraud is the overriding of existing internal controls.4
KPMG, in its 1998 Fraud Survey, was reported to have come to a slightly different conclusion based on the observations of respondents. They reported that
when their organizations experienced occupational fraud, poor internal controls were cited 58 percent of the time, and management override of controls was mentioned in 36 percent of incidents. Various forms of collusion were also mentioned frequently: 31 percent of respondents cited collusion between employees and outside third parties, and 19 percent cited collusion among employees or management. Other causal factors mentioned were directors’ lack of control over management (11 percent) and a poor or nonexistent corporate ethics policy (8 percent).5 From the structure of the responses, it is evident that more than one causal factor could be cited for a given incident or series of incidents.
When I have been involved in reviews of controls programs, such as anti-money laundering controls, I like to employ a three-stage approach. First, I meet with key professionals in the controls and compliance programs to learn how their programs were developed, staffed, and implemented. I also learn how they are administered. More times than not, the programs are well written, comprehensive, and perhaps even draconian in tone. Second, I spend some amount of time checking documentation regarding training, monitoring, and follow-up. Last, I cheat. I saunter down to human resources and ask to see the data for the last year or so for persons sanctioned or terminated for violating these controls. Invariably, I get a blank stare. I usually follow up by advising that I do not need to see all of these employee folders, just a few of the recent ones. The stare gets blanker.
Then, I mosey back up to the compliance people to congratulate them. They are an organization—say, if it is a financial institution—that has a couple of million customer accounts and a couple of thousand account representatives and, evidently, no one has broken any of these rules in the last year or so. That is impressive. It is also usually the sign of a compliance program that is not being very actively or comprehensively enforced.
It is not unusual to investigate a significant occupational fraud and see that the organization has fine controls—on paper. They just have not been followed or were overtaken by events. Control systems can age and become out of alignment with the new shape of the organization or its current operations and interests.
A brief look at several current financial controversies may offer instructive guidance:
Allied Irish Banks PLC suffered losses of $691 million at the hands of rogue trader John Rusnak. While initial reports indicated Rusnak had concocted some incredibly sophisticated scheme to pull this off, other reports indicate that lapses in more basic control procedures may have had a role.6
It would seem at this stage there were a number of factors responsible for the problems at Allfirst, but apparently high among them were issues of controls adequacy. Likewise, at Lehman Brothers, where broker executive Frank Gruttadauria is accused of defrauding customers of $125 million over a 15-year period, The Wall Street Journal wrote: “The star stockbroker in the Cleveland
office of Lehman Brothers who allegedly cheated clients out of millions of dollars also supervised the office-compliance executive whose job it was to help police the office’s brokers, according to people familiar with the matter.”7 Yet, many organizations utilize their controls effectively. Controls can take many forms—many that are not immediately obvious to us. The ubiquitous automated voice on the telephone informing us “This call may be monitored for training and quality assurance purposes” is a form of controls. Likewise, the unseen video camera somewhere in the ceiling above every dealer in almost every casino is a form of controls. The state inspection sticker on the windshield of your automobile is a form of control the state uses to promote highway safety.
A survey of 500 executives that appeared in Sales & Marketing Management magazine reported that 27 percent of companies had terminated employees as a result of some sort of monitoring. The three primary reasons cited for conducting such monitoring were to ascertain quality interaction with clients, productivity, and to spot criminal or illegal activity.8 It seems that the quality or rigor of the controls, while important, is not as crucial as the fact that they are in place and are being properly utilized.