How to reduce the risk of fraud by keeping internal controls current

Ernie Rossi, Audit Partner, Sensiba San Filippo LLP

Savvy business owners know the value of internal controls and the critical importance of reviewing those controls on a regular basis. Effective internal control systems must be adapted to changes in business practices and the global economy. So how do today’s top businesses keep up?

Smart Business spoke with industry expert Ernie Rossi on the prevention and detection of internal fraud. For almost 20 years, Rossi has educated clients on maintaining effective internal controls. As an audit partner at Sensiba San Filippo LLP, Rossi teaches clients best practices for establishing internal controls and keeping them in step with the times.

What kinds of businesses need to protect against fraud?

No company is 100 percent immune to fraud. However, certain types of companies are at greater risk. Small companies tend to have limited resources, meaning they have employees who perform multiple duties. This is a problem because small businesses cannot easily separate what a good internal control structure would call ‘conflicting tasks.’ Properly separating tasks forces perpetrators of fraud to conspire in order to steal, and collusion is more difficult than acting alone.

Larger businesses may be more capable of separating tasks, simply due to having more staff, but over time, they can experience increasing risk of fraud if they become lax in pinpointing loopholes in their systems. Given time, people find weaknesses in the system, and can exploit these.

One common denominator among companies is that few believe they are susceptible to internal fraud. But statistics in this area are clear — most often, fraud is perpetrated by a long-term employee or friend. It is best to have well designed and implemented internal controls that reduce, as much as possible, the opportunities to commit fraud in the first place.

Under what conditions does internal fraud occur?

Internal fraud can be compared to a ‘perfect storm’ in which a motivated perpetrator meets poorly designed or poorly implemented internal controls and little or no monitoring of those controls. It is generally a rationalization on the employee’s part that they are entitled to the fraud. For example, the perpetrator might say, ‘The owner makes way too much money,’ or, ‘I work really hard, and the business doesn’t properly reward me for my efforts.’

You can distinguish between businesses that have poorly designed internal controls and those whose controls are poorly monitored. Internal controls may be in place, but sometimes the business’s culture evolves to a point where controls are allowed to be ignored. One common example: An increasingly busy workplace where checks are signed without thorough review of supporting invoices.

How can companies prevent internal fraud?

Companies that are led by a management team who sets the ‘tone at the top,’ by modeling the greatest degree of integrity, may be at less risk for internal fraud.  Business owners who play fast and loose with tax laws and company assets can expect employees to feel comfortable doing the same. While some business owners recognize the risk of fraud, they are often unsure about the steps required to prevent it. Companies should start small. The first step is to leverage a third party to review the business and uncover potential problems through an assessment of internal controls. This will help identify the areas of biggest risk — the low-hanging fruit.

The second step is to implement controls, such as separation of duties of employees, to shore up vulnerabilities uncovered in the assessment. Next, periodic reviews by internal managers and external assessors will help to keep controls from slipping out of practice.

It’s also important to educate employees about the purpose of the controls. Increased awareness, along with the knowledge that internal controls are a priority, will serve as a strong deterrent. Communicate that internal controls will ultimately protect employees if and when a fraud is committed by allowing them to quickly be eliminated from suspicion.

Financial audits can be helpful, but audits alone cannot replace internal controls or a thorough risk assessment. Audits only test a sample out of thousands of transactions, which are selected at random. So, the audit may catch an error, but it is no guarantee that the error is going to be a result of the fraud.

What qualifies an individual or a firm to assess risk?

Consider hiring a CPA with audit experience. They need not specialize in fraud, but they should be someone with lengthy experience in public accounting. Generally, CPAs with significant public accounting experience are well suited to evaluate controls that currently exist and assist in developing additional or more effective controls.

Basic assessments can be conducted over a few days or weeks, depending on the size of the business and amount of time needed to document the business’s day-to-day practices. The assessment does not need to be done all at once. The business owner should meet with the selected professionals, perform a general assessment, and then design a plan over time to develop and implement a comprehensive internal control system. After controls are implemented, periodic maintenance should be performed. Over time, even good controls will become less effective. Eventually people find their way around the controls, especially if they know they are not monitored regularly.

How does a service provider help clients protect themselves against fraud?

Any service provider should talk with clients about controls frequently, and not just during an annual audit or financial statement preparation. In every meeting, they should listen for key phrases or changes to the business. For example, the phrase, ‘We’re having cash flow problems,’ may indicate a control issue.

In order to truly reduce the likelihood of fraud, education and communication should be top priorities on both sides of the table.

Ernie Rossi is an audit partner at Sensiba San Filippo LLP, a regional CPA firm based in the San Francisco Bay area. He may be reached at (925) 271-8700 or [email protected]

Insights Accounting is brought to you by Sensiba San Filippo