|
|
Total Number of Subscribers: 426 |
|
|
|
||
|
|
||
|
Date: 27 May 2008 |
Compiled by Mr. M. Sathya Kumar |
|
|
|
The Risk Of Weak Internal Controls It is estimated that the typical US
organization loses 6 per cent of its annual revenue to fraud - prevention is
the solution but what systems and controls should organizations put in place? The 2004 Report to
the Nation on Occupational Fraud and Abuse by the Association of Certified
Fraud Examiners (ACFE) cites this chilling statistic: "Participants in
this study, anti-fraud specialists with a median of 16 years of experience in
the fraud examination field, estimate that the typical US organization loses
6 per cent of its annual revenue to fraud. Applied to the US Gross Domestic
Product for 2003, this translates to approximately $660bn in total
losses." Despite the authoritative source of this estimate, its sheer
magnitude might prompt sceptics to discount it as a self-serving alarm
conveniently unsupported by case-by-case documentation. Now evidence is
coming to light that suggests that the findings of the ACFE report are, if
anything, underestimations. The driving force behind the exposure of fraud on such an epic
scale is the Sarbanes-Oxley Act of 2002, a product of the firestorm of public
outrage ignited by the Enron accounting debacle. One of the requirements of
Sarbanes-Oxley (SOX) is that corporations must disclose material weaknesses
or significant deficiencies in their internal controls, known in the
vernacular of this legislation as a 404 attestation. Proving the sages at the
ACFE to be uncannily prescient, nearly 600 companies made such internal
control weakness disclosures last year, with more than half related to fraud1.
In fact, almost 10 per cent of annual reports in the past year have received
adverse SOX 404 audit opinions.2 While the fraud cases like those at Enron and WorldCom earn big
headlines and fall under the rubric of inappropriate 'expense recognition';
asset misappropriation due to fraudulent disbursements remains the core,
tried-and-true tactic of the corporate fraudster. According to the ACFE, the
top three techniques for fleecing an organization of its assets through
fraudulent disbursements are all related to the accounts payable (AP)
process: billing schemes, check tampering and expense reimbursement abuse. Prevention is the
Solution
Perhaps the most daunting aspect of the battle against fraud,
aside from the staggering scope of the task, is that after-the-fact remedies
are frequently futile. The ACFE calculates that the median recovery from a
loss due to fraud is only 20 per cent, and 40 per cent of those defrauded
recover nothing. The clear implication is that prevention is the only
effective course, yet prevention means intercepting or blocking an event or
series of events that have proven capable of eluding established internal
controls. It would be difficult to find a finance professional who didn't
believe that his or her company's existing controls are an effective
deterrent to fraud. Yet the ACFE report reveals that fraud is more likely to
be exposed by accident (21.3 per cent of cases) than by internal controls
(18.4 per cent), and tips remain a more prevalent source of detection (39.6 per
cent) than internal audits (23.8 per cent). Clearly, if the open wound of
corporate fraud is to be staunched, internal controls will need more than a
band-aid to fight the problem. Most, if not all of the factors that contribute to fraud, and in
particular AP-related fraud, can be neutralized with:
As an examination of the following true tale of light-fingered
larceny reveals, a strong control environment would have made it almost
impossible for such fraud to take place. A True Tale of Fraud
Our tale concerns a husband and wife team who colluded with an
outside vendor to fleece their company of at least $2m over a seven-year
period. As related by Robert Sells, senior associate at the recovery audit
firm Connolly Consulting of Atlanta, the target of this sustained fraud was
the well-respected newspaper, The Charlotte Observer, where poor internal
controls contributed to the scandal it was, to its considerable
embarrassment, obliged to report in its own pages. The mastermind of the scheme was Mr Johnson, a 22-year employee
of the newspaper with an unblemished record. It was Mr Johnson's good fortune
to serve as a purchasing manager who also had authority to both receive goods
and services and approve invoices for the same. The invoices would naturally
flow through the AP department, where Mr Johnson's wife happened to work. All
the Johnsons needed to complete a seamless scam was a co-operative and unscrupulous
vendor with whom to connive. Mr Johnson cultivated a friendship with a
favorite supplier until they became close enough that he could propose his
ploy: 'for every two shipments you send me, invoice 'The Charlotte Observer'
for three, and we'll split the payment for the phantom shipment'. The breakdowns in internal controls that allowed this
arrangement to prosper over such a long time are manifold. Consolidating so
many responsibilities in the hands of even the most trusted of employees is
the first bright-scarlet flag. A married couple with entangled duties
connected with AP is another red flare. Significant budget variances, on the
order of $50,000 of bogus charges per month per department, were overlooked
as boom times created a lax atmosphere that tolerated such large
discrepancies. Poor inventory controls allowed non-existent shipments to be
processed and paid for. To top it all off, nobody involved was bonded and the
company wasn't insured against such a loss. While there is no question that better systems and procedures
might have excised this cancerous scheme, simply bringing common sense to
bear would have at least curtailed the loss. During the seven years that the
Johnsons were siphoning off a substantial chunk of the newspaper's revenue,
their lifestyle took a dramatic turn for the better. They sold their old
home, moved into a new lakefront mansion in an exclusive neighborhood, added
a swanky boat, traveled like pashas and stockpiled fancy automobiles. Indeed,
not only did Johnson flaunt his new-found wealth, he abandoned discretion
entirely by incessantly putting himself into the picture in the very high
profile world of NASCAR (the National Association for Stock Car Auto Racing).
Every week, it seemed, he would be photographed bear-hugging the winner at
the victory celebration, an awesome display of insider status in the region's
most revered sport. Meanwhile, his demeanor around the office was quite the
opposite. Formerly out-going and hands-on, Johnson retreated into his office
where he spent most of each day behind a closed door and drawn blinds. How
could everyone have failed to notice? The answer is that of course people
noticed, but they didn't trust their intuition enough to call Johnson's
bluff. All Johnson had to do to deflect curiosity over the course of the
better part of a decade was claim an aunt died and left him an inheritance.
Naturally, once the fraud was unmasked, the aunt was discovered to be as
imaginary as the stream of phantom shipments Johnson authorized and his wife
paid for. Clearly, a woeful failure to segregate duties was at the heart
of this calamity. Had Johnson not had the power to approve his own actions,
this fraud might have been prevented altogether. Improved transparency and
more disciplined approval framework would also, at the very least, make fraud
such as Johnson's more difficult to launch and impossible to sustain. While Mr and Mrs Johnson eventually received their comeuppance -
curiously, The Charlotte Observer did not take immediate legal action upon
their exposure - the newspaper nonetheless took a substantial hit, both in
terms of financial loss and tarnished reputation. Nor were the perpetrators
the only people to suffer: managers who presided over the slipshod operations
were fired; steering lives and careers off track. The real tragedy of this
tale is that if today's business automation software and associated best
business practices had been in place at the newspaper, this entire fraud
case, and all the damage that ensued, would never have occurred Importance of Strong
Internal Controls
All fraud requires opportunity to flourish, the kind of
opportunity provided by paper messiness, murky audit trails and sloppy
business processes. The best deterrent for fraud is a strong internal
controls environment where the risk of detection is high. As the 18th century
English philosopher, Jeremy Bentham, propounded in his classic criminal
theory, the greater the risk of detection, the less likely a person is to
violate the law. What makes potential fraudsters pause - from the CEO to the
average rank-and-file employee - is the fear of exposure. Business automation software institutes best practice workflows
that act as a super deterrent. Automating internal controls increases the
risk of a wrongdoer getting caught and thus locking out fraud while also
significantly increasing operational efficiencies. At the end of the day,
fighting fraud and instituting best practice processes that are cost
efficient don't have to be mutually exclusive goals but can instead support
each other harmoniously and effectively. A cornerstone fraud-busting internal control is properly
maintaining transaction-level backup by associating it online with an ERP
record, providing unparalleled visibility into financial data for approvals, reviews
and audits. For example, by leveraging a document imaging system that is
tightly integrated with a company's ERP financial system, invoices can be
sent directly to the AP department instead of the field. All paper invoice
documentation can be scanned and then indexed into the ERP system using the
image instead of the actual paper document. This permanent association of
transaction-level back up to the ERP record has a dramatic impact on
preventing and detecting fraud. Central receipt of all invoices coupled with immediate front-end
imaging enables the earliest possible recording of liabilities and gives CFOs
the highest, most accurate visibility into AP accruals. In addition, costs
are reduced because it enables companies to decrease approval and review
cycle times and eliminate rush invoices, which allows them to take early
payment discounts and avoid late payment penalties. This visibility also supports a strong approval environment
where authorizations can be made with a clear line of sight not only into all
transaction-level backup but also the complete audit history that is tracked
by the workflow software. As countless case histories from the annals of fraud make clear,
strict segregation of duties is essential to maintaining proper internal controls.
While the concept is simple, systematic implementation and enforcement of
segregated duties is difficult and rarely achieved. The logical place to
start is with the ERP system. Most systems have tried to address segregated
duties through a security framework, which governs the functionality accorded
to each authorized user. This classification approach is expensive to design,
deploy, support and maintain. As employees are promoted, reassigned or
terminated, organizations must continually update their ERP systems with
everyone's correct authorization level, which rarely occurs in practice. With business process automation and document imaging
technology, companies can monitor the invoice as it transitions from one step
to the next. The system tracks all of the changes and maintains a
comprehensive audit trail. In this way, at each point of the process,
companies have a record of what was performed and by whom for all prior steps, enabling them to automatically
catch potential conflicts at the transaction level. Since segregation can be enforced at the transaction level
instead of the job role level, employees can still be allowed to perform
multiple functions as long as they don't perform conflicting duties on the
same transaction. Through the use of real-time monitoring of business
transactions that identify potential policy violations, payment errors,
system misuse and fraud while routing them for executive review and
disposition, companies can minimize risk while boosting productivity. In the end, a strong business process automation solution
defines and enforces clear policies and procedures, automating financial
processes with all of the business rules defined in best practice workflows.
This fortifies the effectiveness and efficiency of a strong internal and
external audit function, helping to avoid financial misstatements. Auditors
can be given self-service access to complete audit trails and complete
transaction backup for every financial transaction so that controls can be
quickly tested and audit costs are thus minimized. Standardized best practice
processes across an entire organization drive superior business performance,
ROI and sustainable competitive advantage. Coutesy : Mr. Rakesh Shukla |
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
Rewards waiting for feedback at |
|
|
|
|
|
|
|
||
|
|
|
|
|
|
Disclaimer: We believe that the information contained in this e-zine is true. If you do not wish to receive Smart Trainee please click here. |
|
|
|
||
|
|
|
|
|
|
Click here to contact us, if you are unable to view the content properly |
|
|
|
|
|
