Any weakness in your internal controls leaves the door open for fraud. It’s not a comfortable thought, but this is particularly the case in smaller organisations where staff assumes multiple roles and responsibilities. So how do you control he risk of error and fraud in your business?
Now, the outcomes of poor control are not always as dramatic as out and out fraud. Another more frequent consequence is that errors go undetected which in turn can lead to unnecessary problems. Either way, it’s bad news for your business if you don’t take control.
A key element of internal control is the appropriate segregation of duties within the organisation.
The main purpose here is to prevent fraud in the form of asset misappropriation and intentional financial misstatement by segregating duties so that no employee or group of employees can be in a position to perpetrate and/or conceal errors or fraud in the normal course of their duties.
The main duties to be segregated in any organisation are;
- Authorisation or approval of related transactions
- Recording or reporting of related transactions
- Reconciliation of those assets or related transactions
- Custody of the related asset
Areas where these controls are critical include;
- Procurement and accounts payable
- Rostering and timesheet approval
- Payroll processing and banking
- Invoicing, credit notes, banking and bank reconciliation
If internal control is to be effective, there needs to be an adequate division of responsibilities among those who perform accounting procedures or control activities and those who handle assets. In general, the flow of transaction processing and related activities should be designed so that the work of one individual is either independent of or serves to check on the work of another. Such arrangements reduce the risk of undetected error and limit opportunities to misappropriate assets or conceal intentional misstatements.
Proper segregation of duties also serves as a deterrent to fraud and concealment of error because the perpetrator must now recruit another individual’s cooperation and collusion in the act.
However, not all situations call for additional layers of people.
Highly efficient checks and balances can be instigated via IT controls like passwords, proper user delegations and effective exception reporting. If you’re not already doing this, you’ll most likely find that it’s simply a matter of implementing technology that already exists in your current system. If it doesn’t exist, it’s time to review your system.
An example of where segregation is required through access rights would be the amendment to an employee’s personnel information including banking details. The employee or group of employee’s responsible for this function ideally would not have system access to make amendment’s and process payroll as normal. Alternatively the system will not accept the amendment until it has been authorised by another user.
IT controls shouldn’t just be limited to the accounting system but to all key programs where the potential to conceal errors or fraud is strong. Identifying the key systems and process where proper segregation is required would generally be done through a risk assessment of business processes.