The theme of the last three blogs was “look behind the curtain” in order to tell the fraud story. Upon reflection, maybe I did not tell the entire fraud story. Maybe, I did not look behind the right curtain. So, this month, we are going to look behind a different curtain.
Do Internal Controls Really Work the Way the Literature Suggests?
This summer I hired a high school senior to write a paper. A graduate of Choate Rosemary Hall. If you are not familiar with the school, this is an excerpt from their website:
“Choate attracts intellectually gifted and motivated students from diverse backgrounds whose commitment to serious study is enhanced in this personally supportive and academically challenging setting. On a campus that inspires a particular sensitivity to beauty, teachers—who share genuine respect and affection for young people—impart an enthusiasm for life and for learning.”
I asked him read the fraud literature starting with the FCPA through the most current literature Fraud Risk Management Guide: Second Edition. A joint effort between COSO and ACFE. I asked him to look at recent frauds or, as I once called them, internal control failures.
In doing all this reading, I asked him to write a paper with the following theme: “Do internal controls work in real life, the way all the literature suggests?”. I made myself available to him, I read his paper, and I suggested edits, but the paper represents his views and only his views. During this time, we collaborated, we debated, and we argued.
Let me tell you why this paper is important to me and our profession. For all of us, we have a vested interest in saying internal controls mitigate fraud risk. We write papers, we speak at conferences, we help write the leading literature on internal controls and fraud risk. Yet, every month, every year, we read about significant frauds that have occurred. We like to say the fraud occurred due to control failures. Maybe that is true, but maybe it is not true. I think we need to differentiate between internal control theory and internal control reality.
To be clear, I am not suggesting we throw out COSO or the Fraud Guide or any other defining literature. I think it is time we asked ourselves, does our profession really understand how to mitigate fraud risk or as I now call it a “statement of fraud risk.”
I would appreciate it if you would read the attached paper. Keep an open mind. Challenge everything you think you know about fraud risk mitigation. After reading his paper, ask yourself how did he change your view on this all-important topic. Remember, this is a bright student with no preconceived ideas about internal control or fraud risk. He has no vested interest.
In all honesty, reading his paper was the best CPE I have had in a long time. It made me think! So, I want to thank Julen for taking this journey with me.
FYI, I do plan to go back to the look behind the curtain, but we are planning a two-month vacation from the topic. Next month we will discuss account takeover. My good friend Sheila suggested this topic.
Exploring Fraud Theory: An Analysis of Modern Internal Control Structures and Their Efficacy (an excerpt)
An organization is like a balloon, air comes in and goes out the main intake/outtake in the form of income and legitimate costs. Every internal party, vendors, employees, and managers are on the inside of the balloon helping things run efficiently. They all have some degree of power to poke holes and divert funds or tear the balloon, which seems impossible to manage. The current anti-fraud structure creates internal controls meant to avoid too much power falling into one party’s hands through separation of duties and other general controls. This fails, as internal parties have relative independence on how they use their pin, and the only thing guiding their usage is the risk to reward of poking a hole for them. So how does an organization do this? Pour water through the balloon and see where there are outflows and vulnerabilities. The only way to find fraud is to analyze data on a massive scale and uncover layers to funds exiting the organization, making it too risky for internal parties to pop the metaphorical balloon. Keep this idea in mind while creating a fraud outline. I will revisit this analogy later in the paper with additional context. For this paper, I will go into why impacting the individual’s risk/reward is the best and only method of anti-fraud mitigation.
Trivia Answers to Last Month's Questions
What are the five types of forgery? Yes, there may be more! Do you know why I selected forgery? Think.
- No attempt
- Freehand of original
- Trace of original
- Cut and paste
- Electronic signatures
What are four signs of a forged signature? Yes, there may be more! - Slow and methodical strokes
- An unnatural tremor
- Substituted pages
- Multi blunt point ends. Each time the pen starts and ends, it creates a small dot.
Fraud Trivia (answers coming in the next blog)
- What are the four types of Phishing?
- What is evil twin phishing?
- What is whaling?
- Where did the word phishing originate?
