Internal Controls to Prevent Financial Statement Fraud

“Cooking the books” is a phrase that refers to falsifying financial statements so one can commit accounting fraud. Perhaps the landmark example of cooking books was Enron, the U.S. energy company coasted on accounting fraud until it imploded in 2001, leading to the passage of the Sarbanes-Oxley Act the following year.

“SOX,” as the law is known, is intended to reduce the risk of accounting fraud and unreliable financial reporting among publicly traded companies – but financial fraud can still happen. When it does, the stock price can tumble and saddle shareholders with huge losses.

Moreover, perpetrating such frauds almost always invites legal trouble for the company, harming its financial position, competitiveness, and reputation.

Can Internal Controls Help to Prevent Fraud?

Yes.

In almost all accounting fraud cases involving financial statement manipulation, the manipulation happened because of weak or absent internal controls that gave executives at the company opportunity to engage in fraud.

A company’s internal controls are the defenses against the misstatement of financial results – regardless of whether those misstatements are caused by deliberate fraud or by innocent mistake. Internal controls assure the audit committee, board of directors, and senior management that the company’s financial reporting is reliable and compliant with applicable laws and regulations.

Implementing various types of internal controls to increase transparency and accountability in the system is imperative. Multiple checks and balances deter employees from fudging financial information and indulging in fraudulent activities and accounting behaviors.

A system of internal controls and audit trails, combined with vigorous documentation requirements, verification, and sign-off, can also improve fraud detection and prevention, ultimately reducing fraud risk and protecting the organization from harm.

What Are Internal Controls Over Financial Reporting?

Internal controls are those practices used by a firm to assure that its rules are followed. As developed by COSO, Committee on Sponsoring Organizations, a framework for effective internal control will help the company to achieve:

• Reliable financial reporting
• Compliance with rules and regulations
• Strong business operations

According to the COSO framework, an effective internal control system must have five interrelated “components,” which come from how the business is run daily:

• The control environment at the highest level of the firm. This includes factors like the “tone at the top” in ethics and the efficiency with which the board’s audit committee oversees financial reporting at the highest level.
• Risk assessment to evaluate risks associated with the various procedures and data sources used to produce the company’s financial reporting.
• Control activities to address the risks that have been identified.
• Information and communication to gather and disseminate information about risks to those responsible for financial reporting or risk management.
• Monitoring to assure continued vigilance in operations, compliance, and financial reporting even as the company evolves over time.

Internal Controls to Prevent Financial Statement Fraud

Internal controls to address the risk of fraud financial statements and reports begin at the transaction level of accounting. They can also be instituted outside the accounting function, to improve oversight of financial processes, maintain the integrity of financial statements, and strengthen the company’s operations.

The following internal controls are basic steps any business can take to reduce fraud risk.

Segregation of Duties

“Segregation of duties” is the principle that no single person in the accounting department should have multiple responsibilities that could let the person commit fraud. For example, record-keeping, authorization, and review activities should be divided among different employees. Segregation reduces the risk of error and inappropriate actions that may lead to fraud.

At the very least, organizations should segregate the duties for:

• Receiving cash or checks
• Preparing deposits
• Handling cash receipts and deposits
• Reconciling deposits and other transactions
• Writing checks
• Preparing financial statements

Implement a Reconciliation Process

A systematic, formal reconciliation process for all key accounts is a critical internal control. For example, all incoming check logs should be reconciled against deposits. In addition, regularly examine bank statements and canceled checks to assure that bills are not issued out of sequence (which can indicate the presence of missing reviews and fraudulent activities).

Examining canceled checks (processed and cleared by the bank) is vital to assure that only authorized personnel sign checks. Likewise, one should verify that all endorsements, reimbursements, and expenditures are appropriate and that all vendors are legitimate.

In alignment with the segregation of duties, an independent person who doesn’t have bookkeeping or check signing responsibilities should be in charge of reconciliation. The reconciliation report should be signed and dated by this authorized person to document that the reconciliation was performed, when, and by whom.

It’s also a good idea to inform all employees that accounts will be reviewed and reconciled regularly, and that any discrepancies will be investigated thoroughly. This awareness can reduce the temptation to manipulate financial statements.

Use an External Auditor

Financial statement fraud is often perpetrated by management. Therefore, an auditor with good credentials should examine financial statements annually to prevent this from happening. (For publicly traded companies in the United States, for example, annual external audits are required by law.)

Provide Board of Directors Oversight

The board of directors should oversee all operations and management. In particular, the board should:

• Compare actual revenue and spending to budgeted income and expenses, to find and investigate significant variations, mismatches, or errors.
• Review the check register or general ledger.
• Assure that the approval of all financial and audit procedures, as well as substantial expenditures, are documented.
• Evaluate C-suite performance against written job descriptions.
• Require independent external auditors to present the annual financial statements.

Review Inventory, Journal Entries, and Electronic Transfers

Internal controls to review inventory, equipment, and other assets are also vital. Inventory counts should be done randomly throughout the year by a person who isn’t incentivized to misreport. General journal entries should also be reviewed at least monthly. Any large or unusual amounts should be noted and investigated as red flags.

Wire transfers, particularly to offshore bank accounts, are a favored method of fraud. Therefore, audit or compliance officers should regularly review such transactions to assure that all are legitimate, involve authorized parties, and are supported by appropriate documentation.

Set a Strong Tone at the Top

A vibrant environment of internal accounting controls can only exist with a strong tone at the top. Management should demonstrate ethical behavior, commit to integrity and honesty, and lead by example. It would help if you communicated all ethics, values, and procedures across the enterprise through written policies.

It would be best if you created policies for the following:

• Cash disbursements, receipts, and reconciliations
• Expense and travel reimbursements
• Petty cash access, receipts, and reconciliation
• Voiding checks
• Blank check access and storage
• Purchasing guidelines
• Conflicts of interest

The consequences of disobeying these procedures should also be written and straightforward. Board members should approve every policy.

Set Up a Fraud Hotline

A confidential hotline to report fraud allows employees to report any possible manipulation of financial statements safely. When whistleblowers are protected, they are more likely to feel safe raising a red flag and unlikely to leave the organization. Insiders are your best chance of detecting and preventing fraud. (SOX requires all publicly traded companies to establish internal hotlines. Other laws require companies to strive to prevent retaliation against whistleblowers.)

Leverage ZenRisk to Mitigate the Risk of Fraud

Financial statement fraud may not be as accessible or familiar as other types of fraud, such as asset misappropriation. It can, however, still cause severe problems for your organization. Adequate internal controls can protect your organization from such misstatement frauds.

Mitigate the risk of financial statement fraud by improving visibility into your risk environment with ZenRisk from Reciprocity. Identify relevant risks, improve risk assessments, and see where they’re changing to reduce your risk of fraud.

ZenRisk offers a single source of truth to help you streamline your risk management program. Policies and procedures are revision-controlled and easy to find in the document repository. Workflow management features offer easy tracking, automated reminders, and audit trails. Insightful reporting and dashboards give visibility to gaps and high-risk areas to reach auditing standards.

To see how ZenRisk works, schedule a demo.