What’s the ‘why’? Understand the purpose of each control to prevent fraud
Consider this recent case study. A smaller local government had a limited number of staff working in its finance department. The finance director had broad access and authority over many of the agency's financial operations, including wire transfers. As such, someone else reconciled the bank statement each month. A key element to the agency's control structure was a simultaneous review of the bank activity itself, looking for fraud red flags such as odd, unusual or unexpected activity or vendors.
Unfortunately, the finance director in this case study was able to misappropriate a large dollar amount, achieved in part by directly wiring money to herself from the agency's bank account. So why didn't the bank statement review catch these wires?
The answer is that the person responsible for this bank statement review did not understand the “why” behind her assigned step in the process. She believed her role was simply to reconcile the bank statement for the sake of agreeing ins and outs from the bank statement to the receipts and expenses in the general ledger. She didn't realize the process was also meant to detect red flags in bank activity. Despite reconciling multiple bank statements that clearly show wires sent to the finance director, the reviewer focused on the dollar amounts only, and did not detect this misappropriation.
The lesson learned from this case is simple in theory: It's crucial that each staff member understand not only their day-to-day duties, but what those duties are meant to achieve (the why). However, this concept can be more difficult to apply due to some common missteps in the way we discuss internal controls.
If you've been through an audit, you might have heard the auditors discuss their method for describing control processes. Each control involves:
- Someone (who)
- Doing something (what)
- For a specified objective (why).
We can fall into the habit of only focusing on the first two elements, and describing a control as simply, “Frank reviews payroll.” Omitting the objective begs the question: What is Frank reviewing for? What does the agency need Frank to review for? What is he actually reviewing for? In the case of payroll, he might be looking for fake (ghost) employees, or reviewing the hours worked for “reasonableness,” scanning net pay for consistency across months, looking for continuous paycheck numbers, or something entirely different. Without clearly defining and communicating the intended objective to Frank, it's quite possible he will not carry out the control step as desired.
Steps to ensure your staff understand the objective or the “why” behind their tasks will depend on how your agency designs, analyzes and communicates its internal control practices. Some ideas to consider are:
- Map out the internal control process for each system (over-the-counter cash receipting, third party cash receipting, credit cards, accounts payable, etc.). Look for those crucial points in the process (often called “key internal controls”) and speak to the staff carrying out those tasks about the desired objective.
- Perform a self-check. Interview staff and ask the staff what they think the intended objectives of their tasks are, and see if their understanding lines up with the agency's desired objectives.
- Review protocols, procedures or “desk” manuals that describe a person's tasks, and add the objective for each process step.
- Start with your elected officials or auditing committee. Ask them what they think are the objectives of their review of key reports. Do their responses line up with your expectations? And are you giving them enough information to achieve those objectives (for example if you rely on them to make sure all payments are legitimate, they should be given the invoices to examine – not just a check listing).
For internal control assessment tools and other fraud resources, please visit our Preventing Fraud web page here.