Why Internal Control Systems Won’t Protect You Against Fraud

Effective internal controls are the cornerstones of integrity for many organizations’ financial and accounting information, by promoting accountability and preventing fraud. At least that’s what we’ve long been led to believe. Not surprisingly, a huge amount of work goes into ensuring that controls are in place, documented and tested to provide evidence that they are designed and operating effectively.

And yet all this work is for nothing if employees are able to circumvent the control structure. You may think your internal controls are bulletproof, but a recent study by the Association of Certified Fraud Examiners (ACFE) highlights the limitations of internal controls for fraud detection. It found that internal controls were not the first, as you might expect, but only the fourth most common way to detect fraud.

Large corporations have both risk and internal audit functions that expend huge amounts of time thinking about these things. They produce copious amounts of process documentation and compliance tests. More often than not, they will boast dedicated risk and control applications.

So where are they going wrong?

With the best will in the world, companies become too comfortable with their internal controls and rarely ever think beyond “What can go wrong?” There is an enduring assumption that employees will follow the process and the four eyes principle, whereby others check work completed by colleagues, and that this will provide enough of a safeguard.

The reality, however, is that the sheer volume of transactions on the balance sheet doesn’t allow you to do this practically. What’s also true is that people get creative and work around documented processes–not necessarily with malicious intent. But your employees, including senior management, are smart. If committing fraud is on their to-do list, the obvious way is through management override of internal controls.

The most frequent types of management fraud involve fictitious or premature revenue recognition to enhance earnings. While it is possible to make adjustments in subledgers, this often requires collusion with other organizational departments.

Top-side journal entry is most susceptible to fraud by management override. For example, someone can post numerous smaller journal entries to various business unit general ledgers to circumvent approval processes. This also makes it more difficult for auditors to detect the malfeasance. In large-scale frauds including WorldCom, management override of the journal entry process was the key contributing factor.

This shows how manual journal entries are an obvious point of weakness in the financial close process. Having a few manual journal entries is not a problem but scale that up to the numbers at play in a larger organization, which can easily run into the thousands, and the pressure that puts on the close soon becomes apparent. From experience, high volumes of manual journal entries usually hide systemic problems with the financial close process.

The truth is, no one can ever eliminate manual journal entries entirely. However, you can minimize their number – and the ensuing risk of fraud—by standardizing and streamlining your financial process and then automating it to make the process less prone to errors. With finance automation software that both calculates and posts journals, such as accruals, and automated preventative and detective controls combined with processes that discourage manual journal entries, you can also reduce your reporting and closing cycle time. It’s what you might call a win-win.

Still think your internal controls are up to the task?

Find out how to eliminate manual journal entries and reduce the risk of fraud with Redwood Finance Automation