As Fraud Proliferates, Internal Controls Become a Priority

March 23, 2021


Alan Wenk, corporate accounts payable manager at the Performance Contracting Group in Lenexa, Kansas, believes that AP professionals can sometimes lose sight of the “whys and wherefores” of internal controls.

“Organizations put internal controls in place to safeguard assets, prevent and detect both fraud and errors, reduce the organization’s exposure to risk, and ensure that management is provided with the information needed to perform tasks and meet goals,” says Wenk. "Yet despite the precautions that most companies take, there are daily reports in the news about cases of AP-related fraud that could have been prevented if effective internal controls had been in place or enforced," he adds.

Many incidents involve a “trusted” employee bilking the organization for sums ranging from nuisance amounts to figures that are incredibly large. Time and time again, it's shown that the reason that the fraud was undetected was because of sloppy or nonexistent internal controls, says Wenk. "If you do not have controls currently in place, or you don’t enforce them or understand how they work, it’s time to become more vigilant. The old adage 'trust no one' may seem cynical, but when it comes to AP, it’s just good practice."

Types of Internal Controls

There are four basic types of internal controls—preventive, detective, corrective, and compensating.

Preventive controls make it difficult for fraud and errors to occur. Segregation of duties is an example of a preventive control, as is a defined approval process. Reported just recently in the news was the case of a municipal employee who had sole responsibility for receivables, payables, and payroll. She had free access to the town’s money, with no controls in place. She had a gambling problem and began to steal from the town. The fraud continued for five years before it was detected. Had preventive controls been put in place, this would likely have not occurred.

Detective controls are those which are likely to uncover errors or fraud. Reconciliation of bank statements is an example of a detective control–an official audit is another. Most AP departments participate in an annual audit by the organization’s outside auditor. Complete audits of the AP department by the internal auditing group are less common but can provide a wealth of information related to how existing controls are working–or not. Clearly, it is preferable to have sufficient preventive controls in place to avoid problems. But detective controls are also necessary to ensure that the preventive controls are actually functioning as designed. Sadly, in some companies, detective controls are put into place only when fraud is suspected, and the fraudster’s actions begin to be monitored.

Corrective controls are those put in place once a problem has been discovered. Additional training or the creation of a new report are examples of corrective controls that might be implemented to fix a problem. Again, it is often after an incident of fraud or a suspected breach that corrective controls are put into place. In a recent case of fraud by a ferry company employee, the trusted employee had been stealing from the company for 12 years. It was only after the fraud was discovered that corrective controls were put into place, and no further incidents of fraud have taken place since.

Compensating controls are often put in place in smaller organizations where segregating duties is difficult. It is a means of making up for the fact that somewhere in the process, control is lacking. Requiring the CFO to review reports or sign checks is an example of a compensating control that is commonly put in place. In the case of the municipal employee mentioned earlier, the employee had no staff and no oversight. The perception within the system was that there was “no other option” than to give her full control. However, there are always other options. Even the town mayor or the Board of Finance could have provided the needed controls.

Even the Best Laid Plans Sometimes Fail

Even when controls are well-designed, they do not always accomplish the tasks that they are designed to. The most common reasons that controls fail are related to the way people do their jobs. For example, sometimes:

  • People may not know (or they say they don’t know) the correct procedures;
  • Controls are specifically ignored, and a trusted employee is given control over more duties than he or she should;
  • Staffers are anxious to complete a task and override a control to “get the job done;”
  • Managers become lax (for example, a supervisor signs whatever is laid on his or her desk for a signature without properly reviewing the document); and/or
  • Coworkers share their passwords.

Taking Controls for Granted

Since most AP professionals work within a process that was created before they entered the picture, they tend to take the existence of controls for granted.

But what would happen if controls were removed from the picture? Even if fraud were not involved, it’s not hard to imagine the types of things that might ensue. Invoices might be paid for work not done or goods not received. Valid invoices might be paid twice. Vendors could find their way into the master vendor file in two or three separate listings. Unreconciled accounts might misrepresent the amount of the organization’s cash reserves.

It’s Everyone’s Job

Controls are an important part of the daily life of accounts payable. They ensure that the organization’s financial reporting is reliable, that the organization’s operations are both efficient and effective, and that the organization is complying with all laws and regulations.

Strong and effective internal controls are not just the responsibility of the internal control department. Everyone within an organization has the responsibility for ensuring that the controls related to their job or function are followed.

This is particularly important in AP because AP controls one of the organization’s most important assets–the cash. Just following existing controls is not enough. It is part of AP’s job to identify possible control gaps and suggest ways to remedy them.

Building A Risk Control Matrix

  1. Identify all business processes by department (i.e., AP check processing, vendor set up)
  2. Determine what risks are associated with each of these processes. “What could go wrong?”
  3. Answer the following questions:
  • What is the risk level (High, Medium, Low)
  • What assertion needs to be verified (Existence, Completeness, Valuation, Rights and Obligations, Presentation and Disclosure)
  • What type of controls are in place (Preventive, Detective, Manual, Automated)
  • Will the controls, if they are operating as designed, ensure the objective?

No matter how well internal controls are designed, they can only provide reasonable assurance that objectives have been achieved. Some limitations will be inherent in all internal control systems. However, an earnest effort must be made to cover as many bases as possible.

Subscribe to our Monthly Insider

You may unsubscribe from our mailing list at any time. Diversified Communications | 121 Free Street, Portland, ME 04101 | +1 207-842-5500