Ten Ways Your Internal Controls Go Wrong ǽƎƥşƎưƁхļưхŧƀƀŧŘǵƎȔŧхǨțǨǵŧƮхƺƀхƎưǵŧǠưļƥхŘƺưǵǠƺƥхКхƀƺǠхƀƎưļưŘƎļƥхǠŧǝƺǠǵƎưƁϮхǝǠƎȔļŘțϮхļưǵƎЗ ŘƺǠǠǽǝǵƎƺưϮхǨǽǝǝƥțхŘƉļƎưхƮļưļƁŧƮŧưǵхƺǠхļưțǵƉƎưƁхŧƥǨŧхКххƎǨхưƺхŧļǨțхǵļǨƢϭхŧƥƺȕхļǠŧхͳͲхŗļşх ƉļŗƎǵǨхǵƉļǵхŘƺƮǝƥƎļưŘŧхƺƀƀƎŘŧǠǨхǨƉƺǽƥşхļȔƺƎşϮхŧƎǵƉŧǠхȕƉƎƥŧхşŧǨƎƁưƎưƁхƎưǵŧǠưļƥхŘƺưǵǠƺƥǨхƺǠхǽǨƎưƁх them to execute your compliance program on an ongoing basis.
Your policies are written in a generic way. When a regulation says your company must adopt
ºƉŧхƮļưļƁŧǠǨхǠŧȔƎŧȕƎưƁх controls aren’t ǨǽƀƀƎŘƎŧưǵƥțхǨƢƎƥƥŧşхƺǠх trained to spot fraud.
Too many controls are in the wrong place. Internal controls first arose in the finance and accounting functions, but modern organizations need internal controls across IT and operations as well. For example, you might ƉļȔŧхưǽƮŧǠƺǽǨхļǝǝǠƺȔļƥхŘƺưǵǠƺƥǨх ƀƺǠхǝļțƮŧưǵǨхКхŗǽǵхưƺǵхŧưƺǽƁƉх IT controls to stop someone from ļƥǵŧǠƎưƁхǨƺƀǵȕļǠŧхǵƺхŘƎǠŘǽƮȔŧưǵх ǵƉŧхŘƺưǵǠƺƥϭхǠхțƺǽхƮƎƁƉǵхƉļȔŧх ǝƥŧưǵțхƺƀхǝǠƺŘŧǨǨЗƥŧȔŧƥхŘƺưǵǠƺƥǨх ЉǨǽŘƉхļǨхşǽŧхşƎƥƎƁŧưŘŧхǝƺƥƎŘƎŧǨЊх ŗǽǵхǵƺƺхƀŧȕхŧưǵƎǵțЗƥŧȔŧƥхŘƺưǵǠƺƥǨх ЉļǽşƎǵǨхǵƺхŘƺưƀƎǠƮхǵƉļǵхļх ǨǽŗǨƎşƎļǠțхƎǨưЩǵхǨƎƮǝƥțхƺȔŧǠǠƎşƎưƁх those policies). 8
1
5
written policies and procedures, şƺưЩǵхǨƎƮǝƥțхŘƺǝțхǵƉŧхƥļưƁǽļƁŧх of the rule, paste it into your employee manual, and declare it a policy. Policies should be written to reflect how employees ļǵхțƺǽǠхƺǠƁļưƎȥļǵƎƺưхļŘǵǽļƥƥțхȕƺǠƢϭ
rļưļƁŧǠǨхЉŧǨǝŧŘƎļƥƥțхƀƎǠǨǵЗǵƎƮŧх managers or managers new to țƺǽǠхŘƺƮǝļưțЊхƮƎƁƉǵхưƺǵхƢưƺȕх how to identify the seemingly endless number of fraud or corruption schemes employees ƮƎƁƉǵхŘƺưŘƺŘǵϭхŧхǨǽǠŧхǵƉŧțхƉļȔŧх the training they need or that ļưǵƎЗƀǠļǽşхǵŧļƮǨхşƺǽŗƥŧЗŘƉŧŘƢх ǵƉŧƎǠхȕƺǠƢϭ
You fail to consider the şƎȔŧǠǨƎǵțхƺƀхǝǠƺŘŧǨǨŧǨх across your enterprise. ưхļǝǝǠƺȔļƥхǝǠƺŘŧǨǨх
2
You fail update controls when the enterprise or ȕƺǠƢƀƺǠŘŧхŘƉļưƁŧǨϭх As companies expand or
6
ǵƉļǵхȕƺǠƢǨхƎưхțƺǽǠхtƺǠǵƉхƮŧǠƎŘļх şƎȔƎǨƎƺưхƮƎƁƉǵхưƺǵхȕƺǠƢхƎưхțƺǽǠх much smaller Latin America şƎȔƎǨƎƺưϰхļхşǽŧхşƎƥƎƁŧưŘŧхǝǠƺŘŧşǽǠŧх ǵƉļǵЩǨхǨǵǠļƎƁƉǵƀƺǠȕļǠşхƎưх.r.х ƮƎƁƉǵхŗŧхƎƮǝǠļŘǵƎŘļƥхƎưхǨƎļЗ¢ļŘƎɭŘϭх ºƉƎưƢхļŗƺǽǵхƉƺȕхşƎɪŧǠŧưǵхǝļǠǵǨхƺƀх the enterprise operate, and craft ŘƺưǵǠƺƥǨхǵƉļǵхǠŧɮŧŘǵхǵƉƺǨŧхǠŧļƥƎǵƎŧǨϭ You don’t sufficiently introduce should be accompanied ŗțхǵǠļƎưƎưƁхƺƀхǨƺƮŧхƢƎưşхЉļхƀƺǠƮļƥх ŘƺǽǠǨŧϮхļхǨƉƺǠǵхȔƎşŧƺхƀǠƺƮхǵƉŧх CCO or some other material) that explains why the control is necessary and how employees should interact with it. train employees on controls. .ȔŧǠțхưŧȕх technical control you 3
contract, old internal controls ЉǝƺƥƎŘƎŧǨϮхļǝǝǠƺȔļƥхǝǠƺŘŧǨǨŧǨϮх ƮļưļƁŧƮŧưǵхǠŧȔƎŧȕǨЊхƮƎƁƉǵх no longer fit the business. For ŧȚļƮǝƥŧϮхțƺǽхƮƎƁƉǵхƉļȔŧхļхǵȕƺЗ ǝŧǠǨƺưхļǝǝǠƺȔļƥхǝǠƺŘŧǨǨхļưşхǵƉŧưх go through layoffs, consolidating those two roles into one person. ºƉŧхǨƉƺǠǵЗǵŧǠƮхǨƺƥǽǵƎƺưхƎǨх to introduce a compensating ŘƺưǵǠƺƥϮхŗǽǵхşƺưЩǵхƥŧǵхǵƉļǵхŗŧŘƺƮŧх ļхŘǠǽǵŘƉϰхǠŧȔƎŧȕхǵƉŧхşŧǨƎƁưхƺƀх your controls to find and correct ȕŧļƢхǨǝƺǵǨϭ
You don’t audit your controls sufficiently. Internal controls should be tested often to be sure
9
that they are designed properly ļưşхȕƺǠƢхļǨхƎưǵŧưşŧşϭхºŧǨǵƎưƁх should happen at least annually, and after any major technology or ȕƺǠƢƀƺǠŘŧхŘƉļưƁŧϭх Leadership doesn’t unaddressed send the signal ǵƉļǵхƮļưļƁŧƮŧưǵхşƺŧǨưЩǵхŘļǠŧх about rigorous internal controls КхǨƺхțƺǽǠхȕŧļƢхƎưǵŧǠưļƥхŘƺưǵǠƺƥǨх ŘƺưǵƎưǽŧхǵƺхƀŧǨǵŧǠϮхļưşхƥƺȕŧǠЗƥŧȔŧƥх employees are more tempted ǵƺхǵļƢŧхļşȔļưǵļƁŧхƺƀхǵƉļǵхǝƺƺǠх ŘƺưǵǠƺƥхŧưȔƎǠƺưƮŧưǵϭхºƉŧхǵƺǝх şƺŧǨưЩǵхƟǽǨǵхưŧŧşхǵƺхǨŧǵхļхƁƺƺşх ǵƺưŧϰхƎǵхưŧŧşǨхǵƺхǵļƢŧхļŘǵƎƺưϮхǵƺƺϭ stress the importance of controls remediation. Audit findings left 10
Your segregation of duties is flawed. This ƮŧļưǨхǵƉļǵхțƺǽхƉļȔŧưЩǵх ƺǠƁļưƎȥŧşхțƺǽǠхŘƺƮǝļưțЩǨх
7
ßƺǽǠхƮļưļƁŧƮŧưǵхǠŧȔƎŧȕх controls are inefficient. rļưļƁŧƮŧưǵхǠŧȔƎŧȕх ŘƺưǵǠƺƥǨхǨƉƺǽƥşхƉļȔŧхļх
ȕƺǠƢƀƥƺȕǨхǝǠƺǝŧǠƥțϮхǨƺхǨƺƮŧх ǠƺƥŧǨхƮƎƁƉǵхƉļȔŧхƺȔŧǠƥļǝǝƎưƁх duties that allow people to commit fraud or corruption. Try ǨŧŧƢƎưƁхƉŧƥǝхƀǠƺƮхƎưǵŧǠưļƥхļǽşƎǵϮх your external auditor or some other analyst who could identify those conflicting duties and help țƺǽхǨŧǝļǠļǵŧхǵƉŧƮхǵƺхǠŧşǽŘŧхǠƎǨƢϭ
4
ƮļưļƁŧǠхǠŧȔƎŧȕхŧȚŘŧǝǵƎƺưǨхǵƺх ǝƺƥƎŘțхƺǠхǵƉŧхƺȔŧǠļƥƥхǝŧǠƀƺǠƮļưŘŧх of automated controls. If the ƮļưļƁŧǠхƮǽǨǵхǠŧȔƎŧȕхŧȔŧǠțх ǵǠļưǨļŘǵƎƺưϮхǵƉŧțхȕƎƥƥхǟǽƎŘƢƥțхŗŧх ƺȔŧǠȕƉŧƥƮŧşхļưşхŗŧхƮƺǠŧхƥƎƢŧƥțх ǵƺхǠǽŗŗŧǠЗǨǵļƮǝхŧȔŧǠțхǠŧǟǽŧǨǵϭх
Top 10 list by Matt Kelly
corporatecomplianceinsights.com | 19
Made with FlippingBook Ebook Creator