Guest Author - Consuelo Herrera, CAMS, CFE
John Doe, a charming logistic assistant could record inventory, deliver parts, gather checks from customers who picked up merchandise at the warehouse, took cash and checks to the back, among other functions. To John and his employer’s detriment, he was placed in a position of steal and conceal.
To successfully managing high-risk areas organizations must avoid incompatible functions. Incompatible functions are those that place any person in a position to both perpetrate and conceal errors or fraud in the normal course of his or her duties. Many technology companies advocate for real-time transaction inspection, however many mid-sized businesses can implement a well-designed internal control system that ensure compliance with five objectives: authorization, validity, proper recording, accountability and comparison, and protection and limited access.
Authorization implies general or specific controls where independent testing is performed to gather evidence that appropriate authorization has been granted by someone with invested authority. Transactions must conform with the terms of such authorization.
When controls are effective and provide reasonable assurance relative to the existence of assets and liabilities at a given date and whether recorded transactions have occurred during a given period, we are referring to: Validity. For example, when an organization records the receipt of checks immediately, it provides evidence of cash. Monitoring transactions independently and continuously close to the point at which they occur is a powerful internal control.
A positive response to improper segregation risk is having mitigating controls in place. Some call it “after-the-fact” manual controls. A criticism to this practice is that it questions the integrity of numbers and induces inefficient processes. The opposite to “after-the-fact” control is the real-time transaction inspection, which automates the manual processes in addressing segregation of duties by testing every transaction for compliance as the financial systems process that transaction. Investigative techniques involve specialized analytical computer applications that help effectively identify unusual transactions and trends. Statistical correlations and other advanced computer technology are used to search for companies and individuals with suspicious patterns. The truth is that proper segregation of duties help to lessen fraud risks.
Another objective of internal control is Proper Recording. It ensures completeness, valuation, classification, and timing. Completeness ensures that transactions are not omitted from the accounting records. Valuation ensures that actual amounts of the transactions are properly recorded. Entering transaction in the appropriate account is the Classification component of preper recording. Timing refers to record as promptly as practicable all transaction in the accounting period in which they took place.
Reconciling assets ensures monitoring of them from acquisition to disposition. Comparing recorded assets with actual assets in the organization supports the existence of assets and validates the numbers in the balance sheet.
Providing protection of assets is another objective of internal control. It implies limited access, both direct and indirect. Direct access is achieved through physical access and indirect access is achieved through documents that authorize use or disposition of assets.
A prevalent audit concern should be the verification of the existence of specific control objectives. For example, regarding purchases those controls should be:
1. Proper authorization of requisitions before purchase orders are issued.
2. The purchasing dept of the organization must assure that requisitions are within the budget before purchase orders are prepared
3. Limited access to the goods during the receiving activity
4. The logistic or receiving dept must make a blind count of the goods received, independently of any other dept.
The AU 319.64 issued by the Institute of Certified Public Accountants states that assessing control risk is the process of evaluating the effectiveness of an entity's internal control in preventing or detecting material misstatements in the financial statements.
Forensic accountants are familiar with schemes used by perpetrators to override internal controls and commit fraud.