Strong Accounting Processes Don’t Protect from Fraud (Internal Controls Do)

Many businesses work diligently to implement strong accounting processes within their finance teams—and for good reason. Strong processes are essential for efficiency and accuracy.

But, many business leaders are surprised to discover that, even with solid processes, a company can still have an incredibly vulnerable accounting environment.

The truth is that strong processes don’t correlate to the strong control environment needed to combat fraud and errors. To stay ahead of risks and drive better business performance, you must also invest in creating strong internal controls.

What Is the Difference Between a Process and a Control?

A process is a series of actions or steps taken to accomplish a specific task. A control is a follow-up action performed by someone who did not complete the task that ensures that the job was performed accurately and completely.

For example, a staff accountant adding a new vendor to the vendor master file is a process. The corresponding control would be the accounting manager’s review of the new vendor setup. As part of this control, the accounting manager would ensure that:

• The information input conforms to the underlying support.
• All necessary information is input into the accounting system.
• The address and remittance request information is consistent with that of a third-party source, such as a vendor’s website.
• The vendor appears legitimate.

Stated plainly, in order for a control to be designed and operating effectively, someone independent of the process must perform a secondary review. The work must be reviewed by someone who did not prepare it.

Why Pursue Strong Controls in Addition to Strong Processes?

The absence of strong internal controls creates vulnerabilities in your company’s accounting environment.

Even if your company has strong processes, without strong internal controls, you’re susceptible to common fraud schemes, such as check, expense, kickback and payroll fraud. These types of fraud are not necessarily associated with weak accounting processes and typically occur when there are no internal controls or when existing controls are overridden.

And beyond cases of intentional fraud, internal controls also protect against accidental errors or oversights.

When strong internal controls are present, you can expect a more protected accounting environment overall. The presence of anti-fraud controls is associated with lower fraud losses, quicker fraud detection and reduced errors in financial statements—which helps provide accurate insights for informed decision making.

How Can I Strengthen My Company’s Control Environment?

Each organization’s control environment and risks will be different, but, in general, you can begin strengthening your controls by taking a few basic steps:

• Document all existing policies, procedures and controls.
• Identify risks in the accounting processes.
• Identify gaps in your current environment, and determine if your existing controls are able to mitigate associated risks.
• Review internal controls periodically to verify that they are operating as intended; if needed, revise the controls.
• Segregate duties as much as possible among team members, especially in activities related to handling financial records and cash. No single person should be solely responsible for an entire process.
• Document reviews and approvals (i.e., operation of the control) and maintain the evidentiary support, including signoffs, initials with date, notations, meeting minutes, emails, etc.
• Perform periodic access reviews to ensure team members have the appropriate level of access to bank accounts and accounting systems based on their job position and duties.
• Conduct surprise audits/reviews of internal controls.
• Train team members about the importance of a strong control environment.
• Identify opportunities for automation, ideally where there are repetitive or rule-based processes.
• Institute mandatory vacation policies. (Controls around job rotation, mandatory vacation policies and surprise audits are associated with at least a 50% reduction in both median loss and median duration associated with a fraud event.)

How Should Businesses Balance Implementing Strong Controls with Operational Efficiency of Processes?

Of course, businesses looking to amend weak internal controls should be cautious to not overcorrect. Instituting excessive or unnecessary precautions can create time delays and frustrations within your team. It’s important to identify the balance for your organization that strengthens your control environment without sacrificing efficiency in processes.

Begin with understanding your unique risk situation to prioritize efforts and identify where controls should be implemented to maximize benefit without creating unnecessary work. Consider how you may be able to streamline and/or automate the processes you have in place and determine how to create controls without hiring more staff.

Evaluate the balance of preventative controls (intended to decrease the chance of errors and fraud before they occur) and detective controls (intended to find errors or problems after the transaction has occurred). Preventative controls are often efficient and take the form of automated system controls. You may also want to identify areas where you could establish an overarching control instead of implementing multiple lower-level controls.

Continuously monitor and test your internal controls and always consider the costs of controls in comparison to the benefit of preventing fraud and errors. The inconvenience of adding a control is oftentimes minute compared to the effects of a fraudulent event.

Where Should You Start if You’re Concerned Your Accounting Department Has Strong Processes, but Not Strong Controls?

The journey to strong internal controls begins with a thorough business process review. This is a formal process conducted by an experienced professional that will highlight current vulnerabilities and inefficiencies, and then pinpoint where to streamline processes and strengthen controls—specific to your company’s unique scenario, risks and needs.

Connect with a Warren Averett advisor to start the conversation.