Professional Documents
Culture Documents
INTERNAL
CONTROL
AND FRAUD
INTAUD - H002
(For Inte rnal Use Only)
OVERVIEW OF CONTROL
d) The cost of internal control must not be greater than its benefits.
Page | 1
CLASSIFYING CONTROLS
Primary Controls
Preventive controls deter the occurrence of unwanted events.
Storing petty cash in a locked safe and segregating duties are examples
of this type of control. IT examples include
designing a database so that users cannot enter a letter in the
field that stores a Social Security number
requiring the number of invoices in a batch to be entered before
processing begins.
Secondary Controls
Compensatory (mitigative) controls may reduce risk when the
primary controls are ineffective. However, they do not, by themselves,
reduce risk to an acceptable level. An example is the lack of
segregation of duties when a store clerk is the only employee present at
closing. Accordingly, the clerk counts cash at the end of the day. The
compensating control performed the next morning is for a supervisor to
reconcile the count with the cash register data.
Page | 2
Complementary controls work with other controls to reduce risk to an
acceptable level. In other words, their synergy is more effective than
either control by itself. For example, separating the functions of
accounting for and custody of cash receipts is complemented by
obtaining deposit slips validated by the bank.
Time-Based Classification
Feedback controls report information about completed activities. They
permit improvement in future performance by learning from past
mistakes. Thus, corrective action occurs after the fact. Inspection of
completed goods is an example.
Page | 3
People-Based vs. System-Based Controls
People-based controls are dependent on the intervention of humans for
their proper operation, for example, regular performance of bank
reconciliations. Checklists, such as lists of required procedures for
month-end closing, can be valuable to ensure that people-based
controls are executed when needed.
MANAGEMENT CONTROLS
The chief executive officer (CEO) should establish the tone at the top.
Organizations reflect the ethical values and control consciousness of the CEO.
The chief accounting officer also has a crucial role to play. Accounting staff
have insight into activities across all levels of the organization.
Board of Directors
1) The entity’s commitment to integrity and ethical values is reflected in
the board’s selections for senior management positions.
Internal Auditors
1) Management is ultimately responsible for the design and function of
the system of internal controls. However, an organization’s internal
audit function may play an important consulting and advisory role.
Page | 4
2) The internal audit function also evaluates the soundness of the system
of internal control by performing systematic reviews according to
professional standards.
Other Personnel
1) Everyone in the entity must be involved in internal control and is
expected to perform his/her appropriate control activities.
Organization
Organization, as a means of control, is an approved intentional
structuring of roles assigned to people within the organization so that it can
achieve its objectives efficiently and economically.
a) Responsibilities should be divided so that no one person will control all
phases of any transaction
b) Managers should have the authority to take the action necessary to
discharge their responsibilities.
Page | 5
c) Individual responsibility always should be clearly defined so that it can
be neither sidestepped nor exceeded.
d) An official who assigns responsibility and delegates authority to
subordinates should have an effective system of follow-up. Its purpose
is to ensure that tasks assigned are properly carried out.
e) The individuals to whom authority is delegated should be allowed to
exercise that authority without close supervision. But they should check
with their superiors in case of exceptions.
f) People should be required to account to their superiors for the manner
in which they have discharged their responsibilities.
g) The organization should be flexible enough to permit changes in its
structure when operating plans, policies, and objectives change.
h) Organizational structures should be as simple as possible.
i) Organization charts and manuals should be prepared. They help plan
and control changes in, as well as provide better understanding of, the
organization, chain of authority, and assignment of responsibilities.
Policies
A policy is any stated principle that requires, guides, or restricts action.
Policies should follow certain principles.
Page | 6
d) Policies should be designed to promote the conduct of authorized
activities in an effective, efficient, and economical manner. They
should provide a satisfactory degree of assurance that resources are
suitably safeguarded.
Procedures
Procedures are methods employed to carry out activities in conformity
with prescribed policies. The same principles applicable to policies also are
applicable to procedures. In addition,
The extent to which automatic internal checks should be built into the
system of control depends on many factors. Examples are:
degree of risk,
cost of preventive procedures,
availability of personnel,
operational impact, and
feasibility.
Page | 7
Personnel
People hired or assigned should have the qualifications to do the jobs
assigned to them. The best form of control over the performance of individuals
is supervision. Hence, high standards of supervision should be established. The
following practices help improve control:
Accounting
Accounting is the indispensable means of financial control over
activities and resources. It is a framework that can be fitted to assignments of
responsibility. Moreover, it is the financial scorekeeper of the organization. The
problem lies in what scores to keep. Some basic principles for accounting
systems follow:
a) Accounting should fit the needs of managers for rational decision
making rather than the dictates of a textbook or check list.
Page | 8
Budgeting
A budget is a statement of expected results expressed in numerical
terms. As a control, it sets a standard for input of resources and what should be
achieved as output and outcomes.
Reporting
In most organizations, management functions and makes decisions on
the basis of reports it receives. Thus, reports should be timely, accurate,
meaningful, and economical. The following are some principles for establishing
a satisfactory internal reporting system:
Page | 9
4) Reports should be as simple as possible and consistent with the nature
of the subject matter. They should include only information that serves
the needs of the readers. Common classifications and terminology
should be used as much as possible to avoid confusion.
Page | 10
c) The Turnbull Report, known formally as Internal Control: Guidance
for Directors on the Combined Code, is named for Nigel Turnbull,
chair of the committee that drafted the report. It was originally
published in 1999 by the Financial Reporting Council (FRC) of the UK
and re-released as Internal Control: Revised Guide for Directors on the
Combined Code in 2005.
Effects of Fraud
a) Monetary losses from fraud are significant, but its full cost is
immeasurable in terms of time, productivity, and reputation, including
customer relationships.
Page | 11
Causative Factors of Fraud
a) Pressure or incentive is the need the fraudster is trying to satisfy by
committing the fraud.
Examples of Fraud
a) Asset misappropriation is stealing cash or other assets (supplies,
inventory, equipment, and information). The theft may be concealed,
e.g., by adjusting records. An example is embezzlement, the intentional
appropriation of property entrusted to one’s care.
b) Skimming is theft of cash before it is recorded, for example, accepting
payment from a customer but not recording the sale.
c) Disbursement fraud involves payment for fictitious goods or services,
overstatement of invoices, or use of invoices for personal reasons.
d) Expense reimbursement is payment for fictitious or inflated expenses,
for example, an expense report for personal travel, nonexistent meals,
or extra mileage.
e) Payroll fraud is a false claim for compensation, for example, overtime
for hours not worked or payments to fictitious employees.
f) Financial statement misrepresentation often overstates assets or revenue
or understates liabilities and expenses. Management may benefit by
selling stock, receiving bonuses, or concealing another fraud.
g) Information misrepresentation provides false information, usually to
outsiders in the form of fraudulent financial statements.
h) Corruption is an improper use of power, e.g., bribery. It often leaves
little accounting evidence. These crimes usually are uncovered through
tips or complaints from third parties. Corruption often involves the
purchasing function.
i) Bribery is offering, giving, receiving, or soliciting anything of value to
influence an outcome. Bribes may be offered to key employees such as
purchasing agents. Those paying bribes tend to be intermediaries for
outside vendors.
Page | 12
j) A conflict of interest is an undisclosed personal economic interest in a
transaction that adversely affects the organization or its shareholders.
k) A diversion redirects to an employee or outsider a transaction that
would normally benefit the organization.
l) Wrongful use of confidential or proprietary information is fraudulent.
m) A related party fraud is receipt of a benefit not obtainable in an arm’s-
length transaction.
n) Tax evasion is intentionally falsifying a tax return.
Page | 13
A fraud risk assessment generally includes the following:
Identifying and prioritizing fraud risk factors and fraud
schemes
Mapping existing controls to potential fraud schemes
and identifying gaps
Testing operating effectiveness of fraud prevention and
detection controls
Documenting and reporting the fraud risk assessment
FRAUD - INDICATORS
Page | 14
Terminology of Fraud Indicators
A document symptom is any kind of tampering with the accounting
records to conceal a fraud. Keeping two sets of books or forcing the
books to reconcile are examples.
Page | 15
5) Established controls not applied consistently
Page | 16